ARTICLE
24 November 2025

EDPB's Cautious Opinions On Commission's Plan To Renew UK Adequacy Decisions

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
October saw the European Data Protection Board (the "EDPB") adopt its opinions on the European Commission's two draft adequacy decisions regarding the transfer of personal data from the EEA to the UK.
United Kingdom Privacy
Miriam Everett and Claire Wiseman
Your Author LinkedIn Connections
Miriam Everett’s articles from Herbert Smith Freehills Kramer LLP are most popular:
  • within Privacy topic(s)
  • with Inhouse Counsel
  • in United States
  • with readers working within the Banking & Credit and Utilities industries

October saw the European Data Protection Board (the "EDPB") adopt its opinions on the European Commission's two draft adequacy decisions regarding the transfer of personal data from the EEA to the UK. The Commission published the draft decisions in July 2025 and concluded that the UK continues to provide an adequate level of protection of personal data for EU GDPR and Law Enforcement Directive purposes. In parallel, the Commission granted a 6-month extension to the existing 28 June 2021 UK adequacy decisions until 27 December 2025, to give it sufficient time to evaluate the updated UK legal framework including the Data (Use and Access) Act 2025 ("DUAA"). If adopted, the final decisions would extend the UK's adequacy status until December 2031.

In adopting the opinions,the EDPB Chair, Anu Talus, welcomed "the continuing alignment between the UK and Europe's data protection framework, despite the recent changes in the UK legal framework" most of which aim to "clarify and facilitate" compliance with the law. She noted that the draft decisions will allow the uninterrupted free flow of personal data from the EEA to the UK without the need for further guarantees. However, she also called on the Commission to: (i) further analyse areas of concern highlighted by the Board; and (ii) ensure "effective monitoring" of certain issues "once the decisions are adopted".

Opinion 26/2025 (EU GDPR)

In respect of Opinion 26/2025 regarding the EU GDPR, these areas of concern and need for monitoring focused on potential divergence from EU standards and principally related to:

  • Changes to the Retained EU Law (Revocation and Reform) Act 2023, in particular, removing the principle of primacy of EU law, as well as removing the direct application of EU law principles.
  • New "extensive" regulatory powers granted to the UK Secretary of State under the DUAA to introduce changes to the new data protection framework via secondary legislation (which require less Parliamentary scrutiny). This is the case, for example, for international transfers, automated decision-making, and the governance of the ICO.
  • Rules on international transfers of personal data from the UK to third countries. The new adequacy test, introduced by the DUAA, requires the level of protection of the third country to be "not materially lower" than the one provided for data subjects by the UK framework. However, in the EDPB's opinion this test does not refer to "important elements that figured in the previous UK adequacy test and which play an important role in assessing whether a third country offers an essentially equivalent level of protection of personal data". These include the risk of government access, the existence of redress for individuals and the need for an independent supervisory authority.
  • Purported use by the UK Government of Technical Capability Notices under the Investigatory Powers Act 2016 requiring companies to circumvent encryption, as this would create "systemic vulnerabilities and pose a risk to the integrity and confidentiality of electronic communications".
  • Changes to the structure of the ICO -particularly rules around appointment and dismissal of board members - andthe exercise of its corrective powers.
  • New legal bases under "recognised legitimate interests"- in particular, regarding data processing for national security, public security and defence reasons and the practical application of this legal basis.
  • The new UK approach to automated decision making "which has yet to be tested in practice".

The EDPB welcomed the Commission's intention to conduct a review of the adequacy decisions at the end of December 2029 based on which the Commission will prepare a public report. This review will help inform the Commission as to whether, at least six months before the end of the adequacy decisions, it will initiate the process to extend the decisions further. The review will play an important role in monitoring the UK legal framework.

The UK held to a higher standard?

In this Lexology PRO article HSF Kramer Partner, Miriam Everett, queried whether the EDPB "appears to hold the UK "to a different (and possibly higher) standard" than other countries when it comes to adequacy considerations". She noted that "the European Court of Justice ruled in Schrems I that third countries cannot be required to ensure an identical level of protection to the one guaranteed in the EU." The third country must provide an "essentially equivalent" standard of protection.

The path to adopting UK adequacy decisions

In addition to these influential but non-binding EDPB opinions requested by the Commission, there are two further procedural steps before the draft UK adequacy decisions can be adopted; namely, (i) the committee representing EU member states need to review and vote on the draft decisions; and (ii) the European Parliament and Council have the right to scrutinise the decisions to provide oversight of the process.

However, it is unlikely that the UK's adequacy decisions would be withdrawn as part of this review (albeit that the Commission is likely to closely monitor developments in the UK in line with the opinions). Despite the UK reforms under the DUAA, the UK's data protection framework is still likely to be more closely aligned with the EU GDPR than any other jurisdiction deemed to be adequate by the Commission.

Comparing the UK GDPR reform with the EU GDPR reform

All eyes will also be closely following the EU GDPR which is currently the subject of its own "targeted" reform through the proposed Digital Omnibus Simplification Package due to be published on 19 November 2025. The reform is in response to the recent EU Competitiveness Compass and Mario Draghi's report about declining competitiveness due, in part, to overregulation. It is rooted in a proportionate and innovation friendly approach; cutting administrative compliance burdens (particularly for SMEs and SMCs in the EU); ensuring alignment and simplification across the EU's digital rules; and enhancing enforcement cooperation. It will be interesting to see how the EU and UK reforms compare; for example, around any of the administrative burden changes previously proposed under the UK Data Protection and Digital Information Bill (the predecessor to the DUAA) such as relaxing the ROPA requirement - an area currently being proposed by the Commission as part of the EU reform (albeit with the EU proposal taking a different form).

In the meantime, initial feedback from privacy activist, Max Schrems', noyb to a leaked version of the European Commission's proposals (ahead of the November deadline) refers to "a massive downgrading of Europeans' privacy 10 years after the GDPR was adopted." The leaked draft proposes a different set of pro-innovation changes to the UK, with some EU changes covering concepts untouched by the DUAA and others covering the same area but with different modifications. Whilst the final shape of the EU reform may end up looking very different from the leaked draft, it remains to be seen whether aspects of the EU GDPR end up being more innovation friendly than the UK data protection framework, whether the final EU reform will have the same "Brussels-effect" as the original GDPR did in terms of its global benchmark, or whether the UK will choose to align itself with that benchmark as well. For multinational organisations spanning both a UK and EU footprint, the complexity of navigating dual regimes or adhering to a high water mark remains.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Miriam Everett
Miriam Everett
Photo of Claire Wiseman
Claire Wiseman
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More