UK adequacy decision: a risk for the future and a lesson to be learnt

The UK adequacy decision: how we got here

On 19 June 2025, the UK Data (Use and Access) Act (DUAA) received royal assent, formal approval given by a monarch allowing a bill to become law. This was the culmination of a process dubbed as UK data protection reform, a proposal born as a Boris Johnson’s government in an attempt to “unlock the benefits of Brexit” . This proposal drew severe criticism from the House of Lords, independent regulators, civil society, and European Union Institutions alike.

EDRi member Open Rights Group, together with EDRi, Privacy International and others, had previously warned about the substantial risks introduced by this reform under the guise of “simplification”, calling for heightened scrutiny by the European Commission as the renewal of the UK adequacy status was being assessed. However, following the new Labour government’s approval of a slimmed-down version of the reform , the European Commission published a rather complacent draft extension of the UK adequacy decision.

The draft attracted substantial scrutiny from civil society and UK data protection experts, who pointed out several factual inaccuracies or error in the interpretation of UK law. The European Data Protection Board followed suit with an opinion, reflecting these concerns. In particular, the EDPB opinion found that the Commission’s assessment:

• Understated the risk of further regulatory divergence that the UK government could pursue via delegated legislative powers in key areas of UK data protection law, including lawful bases, automated decision-making and the definition of special category data
• Failed to account for the removal of European Essential Guarantees in the new UK International Data Transfers’ regime;
• Lacked a substantive assessment of the changes to the structure of the Information Commissioner’s Office, the UK data protection authority, and its impact of regulatory independence.

Ultimately the Commission adopted a finalised version of the UK adequacy decision, which can be described as a mixed bag. In the sections that follow, Open Rights Group provides a brief overview of these developments and some concluding thoughts , in the wake of the ongoing EU-UK reset.

Rights and wrongs

Firstly, the UK adequacy decision still underestimates the danger posed by delegated legislative powers, and wrongly concludes that these powers cannot be used to legalise the commercial uses of personal data or restrict the definition of special category data. Likewise, the Commission is satisfied that “the United Kingdom authorities have confirmed that [they] will take into account elements not listed” in the law when authorising International Data Transfers. This is a rather unconvincing response to the removal of European Essential Guarantees from the legal text of the UK GDPR.

Finally, the Commission considered the safeguards against the removal of Board members of the Information Commissioner’s Office (ICO) to be sufficient to guarantee its independence, a dubious statement given that their appointment process provides no legal safeguards against political interference —not to mention the recent, politically-motivated removal of the Chair of the Competition and Markets Authority. The Commission also fails to mention that the ICO is already experiencing a near total-collapse in enforcement, as denounced by a coalition of civil society organisations, academics and data protection practitioners in the UK.

On the other hand, however, the finalised version of the UK adequacy decision now includes a section specifically dedicated to “Monitoring”. This reflects concerns over the potential changes that could be introduced via delegated legislative powers, as well as to the impact that core changes introduced by the reform may have on the practical interpretation of key data protection provisions.

To this end, the decision establishes a mechanism whereby the Commission could formally require UK authorities to introduce changes to UK data protection law if “available information […] reveals that the level of protection afforded by the United Kingdom may no longer be adequate” within a three months period, or face the suspension or repeal of UK adequacy. The Commission also envisions the possibility to react by limiting the scope of the adequacy decision, or introducing additional measures to safeguard data transfers. The latter would resemble a Japan-like arrangement, where UK controllers would be required to siloing and adhering to an “additional” regulatory regime when processing European personal data.

On top of that, the decision still incorporates a sunset clause, which is a law provision that automatically expires on 27 December 2031 unless further action is taken to extend it. There are also stark warnings that adopting Cross-Border Privacy Rules or leaving the European Convention on Human Rights (ECHR) would result in the certain halt of data transfers between the EU and the UK. Being the UK government’s commitment to data protection and human rights rather dubious, these safeguards can only be welcomed.

Understatements made UK date protection an outlier

Taking a broader view, British politics appears today to be very far from the Brexit days, and a rapprochement with the European Union is increasingly framed as in the British national interest. For instance, the UK government has agreed to rejoin the Erasmus programme, contradicting the old Brexit dogma that wanted to spell the “end to freedom of movement” with the EU. Likewise, the UK government has consistently expressed interest in closer cooperation on defence matters, and is expected to propose legislation to align trade and agri-food regulations to the EU rulebook on a continual basis, in a bid to reduce frictions.

However, in stark contrast with this trend , we are seeing developments in the field of data protection. Indeed, the ICO has already launched several consultations, such as proposals to allow the Commissioner to ignore data subjects’ complaints at their discretion, which would further diverge from EU acquis and reduce the level of protection afforded to personal data in the UK. The Labour government has also stated its intention to water down the right to private life protected by the ECHR and the UK Human Rights Act.

On top of this, the introduction of delegated legislative powers has created a significant liability in the UK legal framework. Any effort to strengthen EU-UK relationships is threatened, and it could be easily unmade by a future Nigel Farage’s government, which could use delegated legislative powers to suddenly diverge from the EU rulebook and legalise data grabs of the kind conducted by Elon Musk’s Department Of Government Efficiency.

This state of affairs makes the UK data protection reform a clear outlier in the UK’s overall political trajectory, whose roots are not difficult to trace. UK data protection policies were, in fact, a straightforward continuation of UK’s long-standing “have the cake and eat it” approach. During Brexit negotiations, however, the Commission made it clear from the beginning that the four freedoms of the single market were not a menu à la carte, and that the integrity of the single market was non-negotiable.

Facing clear boundaries, the UK ended up choosing convergence with EU rules as the only viable path. On the other hand, the Commission’s efforts to strike a conciliatory tone and understate the issues introduced by the UK’s data protection reform have no doubt contributed to the UK’s choice to pursue regulatory divergence instead. As the saying goes, the European Commission is reaping what it sowed.

Contribution by: Mariano delli Santi, Legal and Policy Officer, EDRi member, Open Rights Group