March 27, 2025

EPRS publishes paper on potential challenges to UK data adequacy decisions

A&O Shearman

+ Follow Contact

Send

Embed

A&O Shearman

On March 7 2025, the European Parliamentary Research Service (EPRS) published a paper outlining the challenges to UK data adequacy and ongoing national legislative reforms that could affect the renewal of the two existing adequacy decisions for the UK.

The UK adequacy decisions were originally due to expire on June 27 2025, unless the European Commission found that the UK continues to maintain an 'essentially equivalent' level of data protection to that of the EU. The UK adequacy decisions were, subsequently, both granted a six-month extension until December 27 2025.

The EPRS highlighted the following provisions under the proposed Data (Use and Access) Bill (introduced to Parliament in October 2024) as potentially threatening the renewal of the UK adequacy decisions:

the removal of protections and safeguards relating to automated decision-making;
the notable reduction of transparency obligations, particularly relating to AI data;
granting undue powers to the Secretary of State to override safeguards; and
the reduction of accountability relating to how data is shared in respect of law enforcement and other public purposes.

The EPRS also summarised concerns expressed by digital rights organisations, academics and the tech industry concerning the Investigatory Powers (Amendment) Act 2024. These concerns relate to:

the introduction of a loosely defined concept of ‘bulk personal data’, with ‘low or no reasonable expectation of privacy’, which could be retained by intelligence services with categorical (rather than specific) judicial approval;
the exculpation of civil servants from the offence of ‘unlawfully obtaining communications data’ where the civil servant obtained the data with ‘lawful authority’ as the data had previously been made public;
granting power to the Secretary of State to require telecommunications operators to notify service and product changes that could, if approved, hinder privacy and security improvements to facilitate surveillance operations; and
the requirement for recipients of data retention, national security, or technical capability notices to continue providing intelligence assistance, even in cases passed back to the Secretary of State for review (but where access was granted before issuance of the notice).

The EPRS paper is available here.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

Written by:

A&O Shearman

Contact + Follow

Justyna Ostrowska

+ Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Artificial Intelligence

+ Follow

Data Privacy

+ Follow

Data Protection

+ Follow

General Data Protection Regulation (GDPR)

+ Follow

National Security

+ Follow

New Legislation

+ Follow

Privacy Laws

+ Follow

Regulatory Reform

+ Follow

International Trade

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

A&O Shearman on:

EPRS publishes paper on potential challenges to UK data adequacy decisions

Latest Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

A&O Shearman on:

"My best business intelligence, in one easy email…"