EU-UK Data Transfers: Adequacy Decision Extended, But Uncertainty Remains

[co-author: Anton Strukoff]

On May 14, 2025, the European Data Protection Board ("EDPB") issued a favorable opinion on granting a six-month extension to the existing adequacy decisions for the UK, following a formal proposal from the European Commission. This short-term extension aims to preserve legal continuity for personal data transfers from the EU to the UK while the UK continues to finalize the text of the Data (Use and Access) ("DUA") Bill. The DUA Bill will introduce various modifications to the UK GDPR. The text of the DUA Bill is expected to be agreed in the coming weeks.

Background

An adequacy decision is a mechanism under the GDPR that allows the European Commission to determine whether a third country outside of the EU offers a level of personal data protection “essentially equivalent” to that within the EU. Note that as countries outside of the EU, but within the European Economic Area ("EEA") (Norway, Iceland and Liechtenstein), adhere to and have endorsed the GDPR, the scope of adequacy decisions is extended to these EEA countries as well. Such a decision permits data flows to that third country without the need for a valid data transfer mechanism, such as by imposing the contractual safeguards set out in the Standard Contractual Clauses to the data importer.

On June 28, 2021, the European Commission adopted two adequacy decisions for the UK, recognizing that the UK data protection framework (substantially comprising the UK GDPR) was sufficiently aligned with the GDPR and the EU’s Law Enforcement Directive. However, this decision included a “sunset clause;” the four-year adequacy status is set to expire on June 27, 2025. Hence a renewed adequacy decision is needed.

Why the Grant of an Exceptional Extension?

On March 18, 2025, the European Commission proposed extending the adequacy decisions for six months to provide time for the UK to conclude its legislative process on the DUA Bill. The protracted discussions in the UK parliament regarding the modifications to the data protection regime and the need for the assessment on “essential equivalence” to be based on a stable legal framework, justifies an exceptional extension. This six-month extension is intended to avoid legal uncertainty for businesses relying on data transfers from the EU to the UK while the new UK framework is finalized. The European Commission has said there will be no further extension. The EDPB also notes that the idea of an extension is an exceptional and temporary solution, not to be relied upon as a precedent.

Proposed Changes to the UK Framework

Any revision of the UK’s data protection framework can theoretically lead the European Commission to reconsider and possibly revoke adequacy status. However, a decision to immediately revoke adequacy status seems very unlikely. The European Parliamentary Research Service ("EPRS") warned that some of the UK’s proposed changes undermine core data protection principles, including transparency and accountability. In particular, the EPRS notes a range of provisions that raise new, or deepen existing, adequacy concerns, such as:

1. The removal of protections in relation to automated decision-making ("ADM"). The DUA Bill would remove the broad general prohibition against ADM. It will now be solely up to data controllers to decide whether ADM is appropriate based on a suitably selected lawful basis. While the DUA Bill continues to prohibit ADM in relation to special category data, NGOs, such as Open Rights Group, have criticized the UK government’s proposals as prioritizing the wider adoption of AI in society at the expense of increasing the risks of discriminatory or unfair ADM;
2. The reduction of transparency, particularly in the AI space. The DUA Bill would reduce the scope of transparency obligations. Data controllers would no longer need to provide information to data subjects if providing the requested information would involve a disproportionate effort, and information provided would now be subject to the amorphous cap of a “reasonable and proportionate” search. As AI systems are inherently difficult to search for the data they contain, AI developers may be able to ignore the bulk of data subject access requests on this ground. Furthermore, the DUA Bill introduces an “applicable time period” with a pause mechanism if (for example) further information is needed from the requester, further delaying access and amending the existing one-month time frame for organizations to respond to requests;
3. Excessive powers conferred to the Secretary of State (head of a government department) to override safeguards. The DUA Bill inserts a new list of “recognized legitimate interests” into the UK GDPR. This list includes exemptions for certain processing objectives such as public security, the protection of judicial independence and judicial proceedings, or the protection of the data subject or rights and freedoms of others. However, the Secretary of State can add to or vary this list at will, giving the Secretary of State wide-ranging powers. The breadth of the Secretary of State’s decision-making powers has been identified by EU stakeholders as the most troubling cause for concern in relation to future UK data protection adequacy;
4. Lower accountability on how data are shared and accessed by law enforcement and other public purposes. The DUA Bill updates the Data Protection Act 2018 and removes the requirement for law enforcement agencies in the UK to document reasons for why they are accessing data from police databases. This diminishes accountability of law enforcement as regards how they process data and for what purpose.

In the absence of adequacy, the flow of personal data requires a case-by-case determination of the legal framework of the jurisdiction in question. It also requires identifying other safeguards, such as SCCs or, in relation to intra-group transfers, onerous Binding Corporate Rules. All in all, lack of adequacy means higher compliance costs, greater operational complexity, and increased legal risk exposure. Cross-border data flows, which are essential to many business models, are likely to be delayed and disrupted without this extension.

Is the Adequacy Status Really at Risk: What is Next?

While this temporary extension provides breathing room for businesses navigating EU-UK data flows, it is worth considering whether the future of the UK’s adequacy status remains uncertain or if any such suggestions are being timed to keep British lawmakers and the government ‘in check’ and from going too far in their efforts to modify the existing framework.

On the face of it, it would be very surprising if, even with the changes proposed by the DUA Bill, the UK would lose its adequacy status. We are expecting the UK to most likely have adopted a revised framework by this summer. We remain optimistic on a positive outcome while closely monitoring developments on both sides of the Channel.