The European Data Protection Board (EDPB) has recently adopted its opinion on the European Commission’s draft implementing decision to extend the adequacy decision for the UK under Article 45 of the EU General Data Protection Regulation (EU GDPR) until 27 December 2031 (Opinion).
Such adequacy decision permits transfers of personal data under the EU GDPR to recipients based in the UK without requiring additional safeguards under the EU GDPR. In its assessment, the EDPB examines whether the UK’s data protection regulations continue to ensure an essentially equivalent level of protection in light of developments since 2021, in particular the Data (Use and Access) Act 2025 (DUAA).
Overall, the EDPB “welcomes the continuing alignment” between the UK and EU data protection frameworks, while also striking a cautious tone with repeated calls for the Commission to conduct further analysis regarding several points and to commit to close, ongoing monitoring in the coming years.
Main considerations of the EDPB
In its assessment, the EDPB addresses, inter alia, the following aspects of the UK’s legal framework:
Removal of the principle of primacy of EU law: The EDPB highlights that the Retained EU Law (Revocation and Reform) Act 2023 (REUL Act) removes the principle of primacy of EU law and the direct application of the principles of EU law including the fundamental rights deriving from the EU Charter of Fundamental Rights, constituting a significant change in the UK’s legal order. The EDPB expresses concerns about the potential impact on the data protection framework and calls on the Commission to assess these changes in more detail and monitor them closely.
Increased importance of secondary legislation: The EDPB notes that the Secretary of State has been granted new powers to introduce changes to the DUAA via secondary regulations which entails less parliamentary scrutiny and may create a risk of divergence with EU standards in certain areas such as international transfers, automated decision-making and the governance of the Information Commission.
Potential limitation of the right of access: With regard to the right of access, the EDPB flags the introduction of a qualifier providing that controllers only have to carry out “reasonable and proportionate” searches in order to comply with access requests by data subjects. The Opinion notes that the EU GDPR does not include such limitation and warns that, without a narrow and uniform interpretation, it could lead to inconsistent compliance standards. The EDPB therefore calls on the Commission to monitor its application in practice. Interestingly, the Commission’s own recent “Digital Omnibus” proposal also seeks to address excessive requests, albeit by clarifying the grounds for refusal under Article 12 EU GDPR to act upon the request rather than limiting the search itself.
Changes in the adequacy test for onward data transfers: The Opinion further elaborates on the DUAA’s new test regarding onward data transfers from the UK to (another) third country. The EDPB expresses particular concerns over the removal of several “important elements” (such as with regard to government access rules and enforceable individual redress) in comparison to the previous UK adequacy test which play, according to the EDPB, an important role in assessing whether a third country offers an essentially equivalent level of protection of personal data. The EDPB therefore urges the Commission to deepen its assessment and to monitor the practical implementation of this new adequacy test.
Governance and enforcement changes at the ICO: The EDPB acknowledges the structural transformation of the UK’s data protection authority from the Information Commissioner’s Office (ICO), a corporation sole, into a board-governed “Information Commission” (IC). While this change is not deemed problematic per se and the transfer of the strict rules for the dismissal of the ICO’s to the IC’s chair are positively mentioned in the Opinion, the EDPB calls for close monitoring of the new body’s independence, particularly regarding the appointment rules for its members and its new statutory duty to promote innovation. A practical concern flagged by the EDPB is the ICO's recent proposal – launched only after the Commission's draft – for a new complaints handling “triage system” for the new IC. This would allow the regulator to prioritise or de-prioritise cases based on a non-exhaustive list of criteria, which the EDPB notes could impact the effectiveness of individual redress, and therefore calls on the Commission to assess and closely monitor this new approach.
Extended national security exemptions in the UK: Furthermore, the EDPB expresses concern over the extension of the national security exemptions by the DUAA granting governmental authorities further rights. The Opinion states the EDPB is “particularly vigilant” regarding any exemptions from the principle of proportionality and the requirement to process data for a legitimate purpose. Likewise, it cautions that any exemptions from the powers of the supervisory authority should be “approached with caution” to avoid a supervisory vacuum, and calls on the Commission to assess these extensions and monitor their application in practice.
The UK-U.S. Cloud Act Agreement: The EDPB also addresses the UK-US Cloud Act Agreement, which entered into force in October 2022 and will allow US law enforcement agencies to access EU data stored in the UK under certain circumstances. While the EDPB welcomes clarifications that existing EU safeguards apply, it raises concerns about remaining gaps in this framework. Specifically, the Opinion highlights potential shortcomings in judicial redress for all EU individuals and calls on the Commission to further assess the agreement’s impact and monitor the agreement in future reviews.
“Backdoor” requirements: The EDPB points to reports of the first known practical application of a Technical Capability Notice (TCN), where the UK government allegedly required a major technology company to enable access to its users’ encrypted data in decrypted form. Purportedly, this would require the provider to circumvent its own end-to-end encryption. The Opinion stresses that the practical implementation of surveillance powers is a key part of the adequacy assessment, not just the law on paper. It calls such measures a “direct threat” to the confidentiality and integrity of communications and urges the Commission to assess this development and monitor it closely.
Retention and examination of “low-privacy” data: The Opinion also addresses a new, simplified UK regime for retaining and examining bulk datasets where individuals are deemed to have a “low or no reasonable expectation of privacy”. The EDPB finds that such processing should at least be subject to either a prior authorisation by an independent authority or to a systematic independent review ex post by a court or an equivalent body. Furthermore, the EDPB highlights the risk of this threshold being interpreted too broadly and urges the Commission to monitor its application in practice.
Key takeaways and strategic considerations
Given the EDPB’s acknowledgement of the continuous alignment between UK and EU data protection regulations, a renewal of the adequacy decision until 2031 as foreseen in the Commission draft appears very likely. However, the Opinion’s repeated emphasis on the need for close monitoring illustrates that the EDPB holds certain reservations and signals that the long-term viability of the UK's adequacy status may depend on the practical implementation of the new UK data protection legislation.
In combination with the fact that the UK is the only “third country” whose adequacy decision (will) contain a sunset clause (i.e. a definite expiry date), this creates a nuanced outlook for organisations. While after a renewal of the adequacy decision EU-UK data flows will remain permissible without taking any further measures, the long-term stability of such adequacy decision is not entirely predictable. Organisations should therefore monitor the legal situation and practical developments continuously to mitigate future legal risk.
In addition, the Opinion illustrates which factors organisations have to take into account when considering to which extent the implementation of additional measures is required in the course of conducting transfer impact assessments.
