European Commission approves extension of UK adequacy decisions

The European Commission announced on 19 December that the renewal of the UK adequacy decisions had completed the approval process. The Commission published the two new decisions extending the current adequacy approvals – one for the GDPR and the other relating to the Law Enforcement Directive – to 27 December 2031.

This is a huge relief for those involved in personal data transfers from the EU/EEA into the UK. The UK Government welcomed the announcement with Ian Murray, Minister for Digital Government and Data, posting on X, “I’m thrilled to welcome the EU’s renewal of its two adequacy decisions for the UK. We remain committed to enabling secure, trusted data flows between the UK and EU to support growth, innovation and security.”

Background

When the UK exited the European Union in January 2021, the major concern for data protection lawyers was what this would mean for transfers of personal data between the UK and EU.

From the UK’s perspective, it deemed each of the EU (and EEA) member states as adequate so that transfers of personal data could continue post Brexit. Transfers between the EU (and EEA) and the UK were not so straightforward.

Between January 2021 and the decision on 28 June 2021, a transitional arrangement was put in place so that data could continue to flow. In June 2021, the European Commission approved two adequacy decisions in the UK’s favour – one relating to transfers under the GDPR and the other relating to the law enforcement directive.

Post-Brexit adequacy decisions

On the face of it, approving the UK as adequate for the purposes of personal data transfers should have been an easy decision – the UK had incorporated the GDPR into its post-Brexit laws in the form of the UK GDPR. The only changes made were to reflect the fact that the UK was no longer subject to the supervision of the EU bodies. But the evaluation was wider than that, looking at other relevant laws and arrangements, such as the extent of UK surveillance laws. Despite concerns raised, the final decision was that the UK met the necessary adequacy requirements.

The adequacy decision granted to the UK was, however, unusual in that it was time limited. As a result, the EU-UK adequacy decision was up for review four years later. Again, the process was not completed by the deadline and so an extension was granted, meaning the current adequacy arrangements remain in place for a further six months until 27 December 2025.

The impact of the Data Use and Access Act 2025

The European Commission made it clear that it was not going to approve a new adequacy decision until it understood the impact of the changes to the UK’s data protection regime being made by the incoming Data Use and Access Act 2025 (DUAA), which received Royal Assent on 19 June 2025.

Without an adequacy decision in place, transfers of personal data from the EU (and EEA) to the UK would have to use another transfer mechanism – most likely standard contractual clauses. This was part of the reason that the DUAA (and the bill that preceded it) is not as far reaching in its changes to the UK GDPR as some of the earlier proposals put forward by the previous government. The current government sought to retain alignment between the GDPR and UK GDPR, with a view to avoid any adequacy review hurdles.

The European Commission put forward a proposal to extend the current adequacy arrangements for six years to December 2031. At its meeting on 20 October, the European Data Protection Board (EDPB), the group representing the Supervisory Authorities responsible for overseeing compliance with the GDPR at a national level, issued its opinion on this proposal and granted its approval. The EDPB did, however, identify certain areas where the European Commission should seek further clarification and where monitoring of DUAA implementation should be undertaken.

Following the EDPB’s opinion, this left one final step – approval of the Member States through the Comitology procedure. With the current decisions set to expire on 27 December 2025 this process completed just ahead of the deadline with the European Commission announcing on 19 December that the renewal of the adequacy decisions had completed the approval process and the new decisions had been issued by the Commission.

The UK adequacy decisions are the only ones which are time-limited and this remains the case and this is largely to ensure that the general alignment between the UKGDPR and the GDPR is retained. The European Commission will continue to monitor the situation and if there are concerns these can be raised before the end of the 6 year period.

If you have any questions or need any assistance regarding the above, please contact our Data Protection and Privacy team.

Contributors: