During its latest plenary session, the European Data Protection Board adopted two opinions about the European Commission’s draft decisions on the extension of the validity of the UK adequacy decisions under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) until December 2031.
The European Commission requested the EDPB opinions under Article 70(1) (s) GDPR and Article 51(1) (g) LED. They address the proposed six-year extension of the two UK adequacy decisions, which are set to expire in December 2025. The extension of the validity of the UK adequacy decisions will allow organisations and competent authorities based in Europe to continue transferring data to UK-based organisations and authorities without implementing additional guarantees.
GDPR opinion
According to the Board, most of the changes introduced to the UK’s data protection framework aim to clarify and facilitate compliance with the law. It says that some aspects of the draft decision could be further clarified.
The European Commission should further analyse and monitor the changes to the Retained EU Law (Revocation and Reform) Act 2023, also known as REUL Act, in particular the removal of the principle of primacy of EU law and the removal of the direct application of the principles of EU law.
The EDPB notes that the Secretary of State has been granted new powers to introduce changes to the new data protection framework, via secondary regulations which require less Parliamentary scrutiny. This applies to international transfers, automated decision-making, and the governance of the ICO. The EDPB says that the Commission should consider possible risks of divergence by highlighting, in the final adequacy decision, the areas which they intend to carefully monitor.
The EDPB also encourages the Commission to further elaborate its assessment and monitor the rules on transfers from the UK to third countries. The new adequacy test, introduced by the Data (Use and Access) Act 2025, requires the level of protection of the third country to be not materially lower than the one provided for data subjects by the UK framework, but this test does not refer to the risk of government access, the existence of redress for individuals and the need for an independent supervisory authority.
The Commission should also further assess and monitor the planned use by the UK government of Technical Capability Notices requiring companies to circumvent encryption, as it says this would create systemic vulnerabilities and pose a risk to the integrity and confidentiality of electronic communications.
Finally, the EDPB calls on the Commission to further assess and monitor the changes to the structure of the ICO and the exercise of its corrective powers. In this context, the EDPB positively notes the transparency policy of the ICO and the availability of the statistical and analytical data of its enforcement activities.
The new adequacy decisions will add to the 2021 decisions, which will continue to apply to areas not covered in the 2025 draft decisions. The EDPB builds on its 2021 opinions (14/2021 and 15/2021). In particular, the close alignment between the GDPR framework and the UK legal framework on key provisions, highlighted in 2021, continues to hold true today (including, for example, transparency, data subject rights, and special categories of data).
LED opinion
The EDPB welcomes the continuous alignment between the data protection frameworks in Europe and the UK. That said, it encourages the Commission to review aspects relating to national security exemptions. Those exemptions may waive most data protection principles and some international transfer rules for law enforcement authorities, as well as limiting ICO’s enforcement and inspection powers. The EDPB invites the Commission to analyse the UK’s rules on transfers of personal data to third countries, particularly the new adequacy test, in the same way as in the GDPR opinion. The Board also points out the more permissive approach for automated decision making and the new powers conferred to the Secretary of State in this matter. It highlights the importance of meaningful human review and urges the Commission to clarify and monitor possible exemptions from individuals’ right to obtain human intervention. Finally, the EDPB acknowledges that the system of oversight of criminal law enforcement agencies as well as the redress mechanisms remain largely unchanged, and it reiterates the need for the Commission to closely monitor the application of corrective powers and remedies for individuals in the UK data protection framework.
