EU Commission renews adequacy decision for the UK's data protection regime

The question

What does the European Commission's renewal of its data protection adequacy decisions mean for the free flow of personal data between the UK and the EU?

The key takeaway

The Commission’s renewal of the adequacy decisions granted to the UK in 2021 means that EU-UK data flows can continue largely as they do today, without the need for additional assessments or safeguards for each transfer. For most organisations with operations in the EU and UK, this preserves a familiar and relatively low-friction basis for sharing personal data across borders until at least December 2031, albeit against a backdrop of ongoing EU monitoring of the UK regime.

The background

EU Regulation 2016/679 (the EU GPDR) empowers the European Commission to determine whether the data protection framework of a non-EU country offers an adequate level of protection for personal data transferred from the EU and the European Economic Area (EEA) to that country. If the Commission determines that the protection offered to personal data in a jurisdiction is equivalent to that in the EU, it can grant an adequacy decision that allows the free flow of data subject to the EU GDPR to that jurisdiction without further safeguards.

In 2021, the Commission adopted two Implementing Decisions concluding that the UK's laws and regulatory framework provided adequate protection for personal data transferred from the EU to the UK (the Decisions). In doing so, the Commission took account that the UK would adopt a new data protection regime post-Brexit, amending the regime that applied while the UK was an EU Member State. The Decisions were limited to four years as a result and were scheduled to expire on 27 June 2025, however this was later extended to 27 December 2025 following the introduction of the Data (Use and Access) Act (DUAA), which amended the UK GDPR and DPA 2018 (see our Summer 2025 edition of Snapshots), to allow the Commission to complete its assessment of the UK's new data protection landscape.

The development

On 19 December 2025, the Commission announced that it had renewed its 2021 Implementing Decisions under both the GDPR and the Law Enforcement Directive (LED), concluding that the UK's data protection framework continues to provide an adequate level of protection for personal data that is "essentially equivalent" to the protection provided within the EU itself.

In its assessment, the Commission considered whether the data protection rights, and their effective implementation, supervision and enforcement and the legal system as a whole, remain effective in delivering the required level of protection. The Decision is not however a finding that the UK's framework offers an identical level of protection to the EU.

The renewed Decision reviews and considers UK legislative and regulatory developments including changes made by DUAA, such as:

• the new provisions around processing personal data for scientific and statistical purposes, which the Commission found to be consistent with the "letter and spirit" of the GDPR
• an additional lawful ground of processing for the purposes of a "recognised legitimate interest". The Commission noted that this new ground is subject to several important limitations, including that processing must serve a clear public interest
• new powers allowing the Secretary of State to add new special categories of data that are subject to additional protection. The Commission concluded that this does not affect the level of protection for special categories of data that it found adequate in 2021
• clarification of the time limit for responding to data subject access requests (DSARs) and codification of case law such that searches should be "reasonable and proportionate". The Commission observed that this reflects existing ICO guidance and ensures that DSARs are handled in reasonable timeframes, preserving the right of access
• the replacement of the ICO with a reformed Information Commission as the data protection enforcement authority, and the introduction of new powers (including the right to require reports and issue interview notices). The Commission concluded that safeguards to ensure the authority’s independence remain equivalent to those assessed in 2021.

The Commission's 2021 Decision remains in force for aspects of UK data protection law that have not been amended. The renewed Decisions will remain in force until 27 December 2031, when it is anticipated that the position will be reviewed again.

Why is this important?

Adequacy decisions are binding on all EU Member States. The renewal of the UK's adequacy status means that personal data can continue to flow from the EU to the UK and without the need for additional authorisations, and vice versa

For UK businesses operating in or with the EU, this avoids the need to put in place additional safeguards and assessments for data transfers, reducing cost while maintaining assurances that customer and employee data will be appropriately protected. The Commission will continue to monitor the UK's data protection framework and any legislative or regulatory developments, on an ongoing basis, to ensure its decision remains valid.

Any practical tips?

Businesses should confirm that EU partners are aware that the adequacy decisions have been renewed and consider this in their processes for establishing any new EU-UK transfers.

Spring 2026