UK adequacy – Where are we now?

When the UK exited the European Union in January 2021, the major concern for data protection lawyers was what this would mean for transfers of personal data between the UK and EU.

From the UK’s perspective, it deemed each of the EU (and EEA) member states as adequate so that transfers of personal data could continue post Brexit. Transfers between the EU (and EEA) and the UK were not so straightforward.

Between January 2021 and the decision on 28 June 2021, a transitional arrangement was put in place so that data could continue to flow. In June 2021, the European Commission approved two adequacy decisions in the UK’s favour – one relating to transfers under the GDPR and the other relating to the law enforcement directive.

Post-Brexit adequacy decisions

On the face of it, approving the UK as adequate for the purposes of personal data transfers should have been an easy decision – the UK had incorporated the GDPR into its post-Brexit laws in the form of the UK GDPR. The only changes made were to reflect the fact that the UK was no longer subject to the supervision of the EU bodies. But the evaluation was wider than that, looking at other relevant laws and arrangements, such as the extent of UK surveillance laws. Despite concerns raised, the final decision was that the UK met the necessary adequacy requirements.

The adequacy decision granted to the UK was, however, unusual in that it was time limited. As a result, the EU-UK adequacy decision was up for review four years later. Again, the process was not completed by the deadline and so an extension was granted, meaning the current adequacy arrangements remain in place for a further six months until 27 December 2025.

The impact of the Data Use and Access Act 2025

The European Commission made it clear that it was not going to approve a new adequacy decision until it understood the impact of the changes to the UK’s data protection regime being made by the incoming Data Use and Access Act 2025 (DUAA), which received Royal Assent on 19 June 2025.

Without an adequacy decision in place, transfers of personal data from the EU (and EEA) to the UK would have to use another transfer mechanism – most likely standard contractual clauses. This was part of the reason that the DUAA (and the bill that preceded it) is not as far reaching in its changes to the UK GDPR as some of the earlier proposals put forward by the previous government.

The current government sought to retain alignment between the GDPR and UK GDPR, with a view to avoid any adequacy review hurdles.

So where are we now?

The interim arrangements come to an end on 27 December 2025, but it’s looking positive for a new EU-UK adequacy decision. The European Commission has put forward a proposal to extend the current adequacy arrangements for six years to December 2031.

At its meeting on 20 October, the European Data Protection Board (EDPB), the group representing the Supervisory Authorities responsible for overseeing compliance with the GDPR at a national level, issued its opinion on this proposal and granted its approval. The EDPB did, however, identify certain areas where the European Commission should seek further clarification and where monitoring of DUAA implementation should be undertaken.

Obtaining the opinion of the EDPB was the second stage of the process. The next step is approval by the representatives of the EU member states, following which there will be a formal adoption of the decision by the European Commission. While the process is not yet complete the EDPB opinion moves us one step closer to meeting the 27 December deadline and (we hope) obtaining renewal of the adequacy decisions.

If you have any questions or need any assistance regarding the above, please contact our Data Protection and Privacy team.

Contributors: