EU-UK Data Adequacy Renewal - Proceed with Caution

The EU-UK draft adequacy renewal was published last week. Partner Cavan Fabris and trainee Sophie Hudson from our Cyber & Data Privacy team have summarised the key takeaways below.

The European Commission's Draft Renewal of EU adequacy decision for the UK under the GDPR, published 22 July 2025, has reaffirmed that organisations based in the EU have a valid mechanism for transferring EU personal data to the UK. It is a welcome development for UK businesses that operate in the EU and for all organisations relying on cross-border data flows.

However, this renewal comes with clear caveats. The EU’s adequacy framework is built on the principle of “essential equivalence.” This means the UK must maintain data protection standards that closely match those of the EU’s GDPR. The adequacy decision is not permanent and may change as the UK's regulatory landscape evolves.

Click here to read Draft Renewal of EU adequacy decision for the UK under the GDPR in full.

Key Takeaways:

1. Adequacy is conditional:

   The European Commission must monitor developments in the UK on an ongoing basis to ensure that the UK continues to provide an equivalent level of data protection.  The EU reviews adequacy decisions at least every four years, meaning that the decision will be reviewed come again in 2029. The UK’s future adequacy is not a permanent guarantee.

Legislative changes trigger reassessment:

Any reforms to the UK GDPR or Data (Use and Access) Act that weaken individual rights, reduce regulatory oversight, or dilute safeguards may put the UK's ongoing adequacy at risk. In particular, the Draft closely assesses the recently enacted Data (Use and Access) Act and its compliance. Continued adherence to the European Convention of Human Rights and submission to the jurisdiction of the European Court of Human Rights is also required. 

The Commission noted that the following areas should be monitored closely to ensure ongoing adequacy:

• Automated decision-making: Safeguards ensuring transparency and human intervention should remain robust.
• Processing special categories of personal data: The UK's data protection framework continues to provide specific safeguards where special categories of data are involved, though this will be monitored.
• Purpose limitation: The UK should continue to require that data is processed for a specific purpose and subsequently used only insofar as this is not incompatible with the original purpose of the processing.
• International transfers: The UK must ensure onward transfers only go to jurisdictions with strong protections. If that were to change, this would undermine the level of protection currently guaranteed to personal data transferred from the EU to the United Kingdom. This will be closely monitored by the Commission.

      3.   Oversight, Enforcement, and Data Subject Rights

The independence and effectiveness of the UK’s data protection authority (soon to be the Information Commission) remain under scrutiny. The EU will watch closely to ensure individuals retain effective means to challenge misuse of their data and seek redress.

The UK’s exclusion from the EU’s consistency and cooperation mechanisms post-Brexit may create challenges for harmonised enforcement and interpretation.

Next steps

The message is clear. Ongoing adequacy requires regulatory alignment and a commitment to high data protection standards, particularly in light of the changing regulatory landscape. UK regulators must tread a careful line between allowing innovation but ensuring ongoing adequacy. Businesses should remain abreast with how these changes might impact their daily functions and should not be complacent that future adequacy is guaranteed.

Assess your cross-border data transfer mechanisms and be prepared to implement alternatives if the adequacy status changes. Seek legal advice if you process EU personal data or rely on cross-border data flows.