The European Data Protection Board issues opinions on extending UK data adequacy decisions until 2031

The European Data Protection Board (EDPB) has issued its official opinions on the European Commission’s draft decisions to extend the UK’s data adequacy status for another six years, until December 2031. The decisions concern both the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), and are meant to ensure the continued free flow of personal data between the European Union and the United Kingdom.

Adequacy decisions allow EU-based organisations to transfer personal data to third countries without additional legal mechanisms, provided the recipient country ensures a level of protection equivalent to that of the EU. The UK’s current adequacy decisions, first adopted in June 2021, are set to expire in December 2025.

Continued alignment, but areas for closer monitoring
In its opinions, the EDPB acknowledged that the UK’s data protection framework remains closely aligned with the EU’s standards, despite recent domestic legal reforms. EDPB Chair Anu Talus welcomed this ongoing alignment but urged the European Commission to address specific concerns and ensure effective monitoring of how UK laws evolve.

One major focus of the EDPB’s recommendations is the UK’s Retained EU Law (Revocation and Reform) Act 2023, known as the REUL Act. The Board noted that the Act removes the principle of primacy of EU law and could weaken direct application of EU legal principles in the UK. It also drew attention to new powers granted to the UK Secretary of State, allowing regulatory changes with limited parliamentary oversight, especially concerning international data transfers, automated decision-making, and governance of the Information Commissioner’s Office (ICO).

The EDPB called on the Commission to monitor potential risks of divergence in these areas and to strengthen oversight of UK-to-third-country data transfers. The Board also raised concerns about the UK government’s potential use of Technical Capability Notices, which can compel companies to weaken encryption, posing risks to data confidentiality and cybersecurity.

At the same time, the EDPB positively noted the ICO’s transparency policies and its regular publication of enforcement data. It confirmed that many of the UK’s core data protection rules, on transparency, data subject rights, and sensitive data, remain consistent with the EU framework established under the GDPR.

Law enforcement and national security exemptions
Regarding the Law Enforcement Directive (LED), the EDPB similarly welcomed continued alignment but asked the Commission to scrutinise national security exemptions that could override key data protection principles. The Board also urged close monitoring of how UK authorities handle automated decision-making in law enforcement, stressing the importance of maintaining meaningful human review.

The EDPB reaffirmed that oversight and redress mechanisms for individuals remain largely unchanged since the 2021 decisions, but called for continued vigilance to ensure effective remedies and enforcement in practice.

Next steps
The Commission’s final decision will determine whether the UK continues to be recognised as providing adequate protection under EU law. Once adopted, the new decisions will replace and build upon the 2021 adequacy rulings, ensuring ongoing legal certainty for businesses and public authorities transferring personal data between the EU and the UK.