The European Union has extended its data adequacy agreement with the UK, ensuring the continued free flow of information between the two entities for another six years.
A Six-Year Extension, But Concerns Remain
Table of Contents
The agreement, vital for businesses and security, isn’t without caveats as the UK diverges from EU data standards.
- The data adequacy arrangement, initially established in 2021, was set to expire on December 27 but will now continue until December 27, 2031.
- The agreement hinges on the UK maintaining data protection safeguards equivalent to those outlined in the EU’s General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED).
- Recent UK data reforms have raised concerns among civil society groups about potential erosion of privacy rights.
- Questions linger regarding the legality of UK police using US-based cloud providers for sensitive data processing.
The renewal assures that the UK’s data protection framework is considered equivalent to the EU’s, based on the GDPR and the LED. Minister for digital government and data Ian Murray expressed his enthusiasm on X (formerly Twitter), stating he was “thrilled” at the decision. “I’m thrilled to welcome the EU’s renewal of its two adequacy decisions for the UK. We remain committed to enabling secure, trusted data flows between the UK and EU to support growth, innovation and security,” he wrote on December 18, 2024.
Henna Virkkunen, executive vice-president for tech sovereignty, security and democracy at the European Commission, emphasized the benefits for both sides. “It ensures the free flow of personal data between the European Economic Area and the UK in full compliance with data protection rules while reducing costs and administrative burdens. This continuity allows European companies to keep sharing data seamlessly with their UK partners, supporting innovation, competitiveness and trusted digital cooperation.”
From Brexit to Reform: A Shifting Landscape
Data adequacy with the EU became a critical issue following the UK’s departure from the bloc, with the initial 2021 agreement built upon the measures introduced by the Data Protection Act 2018 (DPA). However, the landscape began to shift in June 2024 when the government amended the UK’s data protection regime through the Data (Use and Access) Act. This aimed to streamline data sharing for businesses and the public sector, purportedly easing bureaucracy and boosting efficiency.
What are the biggest concerns surrounding the UK’s data adequacy status? Several civil society groups voiced strong opposition to the renewal, writing to European commissioner Michael McGrath in June to request the EU rescind the UK’s data adequacy status. They cited major concerns about the erosion of privacy and data rights, warning of “a substantive risk” that future UK adequacy decisions could be overturned by the European Court of Justice.
“Allowing third countries such as the UK to benefit from unrestricted personal data flows with the EU while simultaneously weakening legal safeguards at home does not only endanger the rights of people in the EU, it also undermines the credibility of the EU’s data protection framework, exposes EU businesses to unfair competition, and devalues the Union’s regulatory leadership on the global stage,” the groups argued. “The UK government’s proposed reforms and recent actions threaten to imperil the UK’s data and privacy protections. This status of affairs will fuel uncertainty and threaten individuals and businesses alike.”
Cloud Concerns and Law Enforcement Data
Adding to the complexity, concerns were raised in Parliament regarding the potential risks to adequacy with the LED stemming from police use of US-based hyperscale cloud providers for processing sensitive law enforcement data. Reports surfaced in June 2024 revealing that UK policing data uploaded to Microsoft cloud services was routinely transferred offshore for certain types of processing, potentially violating the LED.
During a House of Lords debate in March, Liberal Democrat peer Tim Clement-Jones highlighted that cloud service providers frequently processed data outside the UK and were unable to provide the contractual guarantees required by Part Three of the DPA, which implements measures in the LED. “As a result, their use for law enforcement data processing is, on the face of it, not lawful,” he stated.
In response to these compliance issues, the government opted to remove the relevant requirements from the new data act. Clement-Jones noted at the time, “The government’s attempts to change the law highlight the issue and suggest that past processing on cloud service providers has not been in conformity with the UK GDPR and the DPA.”
European commissioner McGrath acknowledged the strategic importance of the UK-EU partnership, stating, “The UK is an important strategic partner for the European Union and the adequacy decisions form a central pillar of this partnership. By enabling the free flow of personal data, they underpin both commercial exchanges and cooperation in the fields of justice and law enforcement. Their renewal reflects the Commission’s assessment that the UK’s legal framework continues to provide robust safeguards for personal data that remain closely aligned with EU standards, including in the context of recent legislative developments.”
