UK data adequacy under scrutiny: civil society warns EU not to reward deregulation disguised as ‘simplification’

Civil society organisations, including EDRi and EDRi members Open Rights Group and Privacy International, are urging the European Commission not to re-adopt the UK’s data adequacy decisions without meaningful reform. The UK’s rollback of protections under the guise of ‘simplification’ puts the level of protection required by the General Data Protection Regulation (GDPR) and Court of Justice of the European Union (CJEU) case law at risk and exposes the Commission’s decisions to legal challenge.

By EDRi · June 3, 2025

Recent developments: UK divergence grows as adequacy review approaches

The United Kingdom’s data adequacy decisions under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) are currently under review. With the original decisions due to expire December 2025 (after an extension of 6 months), the European Commission must now assess whether the UK continues to ensure a level of protection for our data that is essentially equivalent to that guaranteed in the European Union.

Since 2021, the UK has enacted and proposed a series of legal reforms that significantly weaken data protection safeguards, reduce rights, and undermine regulator independence. These include the Data (Use and Access) Bill, recent amendments to the Investigatory Powers Act, and provisions that endanger both automated decision-making rights and encryption.

Read the open letter.

‘Simplification’ is a cover for systemic deregulation also in the UK

These legal changes are being promoted under the guise of ‘simplification,’ a term that increasingly masks structural deregulation. UK authorities frame safeguards as ‘barriers to growth’, while advancing policies that expand government access to personal data, lower conditions for international data transfers, and entrench opaque algorithmic surveillance.

This narrative mirrors similar developments within the EU. As pressure mounts to revise the GDPR in the name of ‘simplification’, extending adequacy to a country actively dismantling its own protections risks mainstreaming a deregulatory logic. It would also make it harder for the EU to demand high standards from other countries undergoing adequacy reviews.

A legal and political test for the Commission

Under Article 45 of the GDPR and CJEU case law, adequacy requires a third country to provide protections that are not identical, but ‘essentially equivalent’, to those of EU law, both in substance and enforcement. This includes independent oversight, effective redress, and limits on indiscriminate surveillance.

By renewing the UK’s adequacy decisions without addressing clear deficiencies, the Commission would expose them to legal challenge before the CJEU, repeating the pattern of Safe Harbour and Privacy Shield, both of which were struck down.

In fact, the re-adoption of the UK adequacy decisions might prove to be the ultimate litmus test. The Commission’s willingness to maintain the EU-US Data Privacy Framework (DPF) despite its inconsistencies with EU legal standards has already raised serious concerns. It reveals a growing gap between the Commission’s political commitments and its obligation to use the legal tools at its disposal to protect fundamental rights. The UK decisions now offer a clear opportunity to reverse that trend.

What’s next?

EDRi, Open Rights Group, Privacy International and the other signatories will continue to monitor the review process and advocate for a rights-based approach to data transfers. Adequacy decisions are not trade or geopolitical concessions: they are legal guarantees. If the Commission wants to protect the credibility of the GDPR and its rule of law as a whole, it must act in line with its own legal framework and not repeat past mistakes.