)
By Dr Karen Mc Cullagh
The European Commission has formally adopted its renewal of two EU data adequacy decisions for the United Kingdom, confirming that personal data may continue to flow lawfully from the European Economic Area (EEA) to the UK, under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED). This renewal removes the immediate risk of disruption to EU–UK data transfers that underpin trade, public services, and law enforcement cooperation. The decisions rest on the Commission’s assessment that the UK’s legal framework provides an essentially equivalent standard and safeguards to those under EU law, following a detailed review of the UK regime, including the implications of recent domestic legislative reforms.
A notable development in the renewed decisions concerns immigration data. The original 2021 adequacy decisions excluded personal data processed for UK immigration control from their scope due to legal challenges (Open Rights Group v Secretary of State for the Home Department [2021] EWCA Civ 800 and subsequently, R (Open Rights Group) v Secretary of State for the Home Department [2023] EWCA Civ 1544). These challenges concerned the "immigration exemption", which allowed controllers involved in immigration control to restrict certain data subjects' rights, such as the right of access, under the DPA 2018, if this would likely prejudice immigration control activities. Following UK Government amendments in 2022 and 2024 that introduced safeguards such as case-by-case assessment, proportionality requirements, and enhanced oversight, the Commission concluded the exemption now provides adequate protection. Immigration data can therefore now flow from the EU to the UK under the adequacy framework, though the European Data Protection Board has emphasized the need for continued monitoring of its practical application.
The UK’s Data (Use and Access) Act 2025 attracted attention from civil-society organisations, which wrote to EU institutions warning that elements of the Act could weaken privacy safeguards and heighten risks to data rights, potentially undermining the credibility of the EU’s data protection framework. While the European Commission concluded that the UK's framework continues to provide essentially equivalent protection, the European Data Protection Board highlighted several areas requiring close monitoring, including changes to the governance of the Information Commissioner's Office, new powers granted to the Secretary of State, and modifications to automated decision-making rules. These concerns did not prevent renewal, but they shaped the conditions attached to it.
This outcome followed a period of scrutiny and engagement in the UK that preceded the renewal. Ahead of the scheduled expiry in June 2025 of the original adequacy decisions, the House of Lords European Affairs Committee launched an inquiry to examine the risks, economic implications, and operational consequences of any loss of adequacy. As part of that evidence-gathering process, I submitted written evidence addressing the compliance, trade and regulatory certainty benefits of maintaining adequacy. The inquiry carried particular weight because it took place against a fixed legal deadline for adequacy expiry and represented Parliament’s principal mechanism for scrutinising whether Government policy choices, including proposed changes to UK data protection law in support of innovation, risked undermining renewal.
In its October 2024 letter to the Secretary of State, the House of Lords European Affairs Committee explicitly:
• warned of significant extra costs and administrative burdens for businesses and public-sector bodies if adequacy were lost;
• stressed the implications for trade, economic cooperation, investment attractiveness, and sectors such as law enforcement and the NHS; and
• concluded that the Government “should therefore pursue data protection policies that are aimed at retaining the UK’s data adequacy status… Securing adequacy renewal decisions from the European Commission in the first half of 2025 should be the Government’s immediate data protection policy priority.”
The Government’s response endorsed that analysis. The Secretary of State confirmed that retaining adequacy was a priority, highlighted the extent of ministerial and official-level engagement already under way with the European Commission, and made clear that the UK intended to seek renewal.
Against that backdrop, the Commission’s formal adoption of renewed adequacy decisions on 19 December 2025, following publication of draft decisions in June 2025, provides an expected but still welcome outcome. It delivers continuity for businesses, public services, research organisations and law-enforcement bodies that depend on predictable personal data transfers. It also avoids a disruptive shift to alternative transfer mechanisms, such as standard contractual clauses or binding corporate rules, that would have introduced unnecessary legal and administrative friction and significant compliance costs.
In procedural terms, the renewal followed the EU adequacy decision adoption process. The draft decisions were examined by the European Data Protection Board (which issued its opinions in October 2025) and were then approved by EU member states through the comitology procedure before final adoption by the Commission. In the meantime, the original adequacy findings were extended from June 2025 to December 2025 to preserve continuity while that scrutiny took place, ensuring that personal data could continue to flow lawfully while the legislative and institutional steps were completed.
The political reaction underlines the importance of this outcome. As Ian Murray MP, Minister of State with responsibility for science, innovation and digital policy, stated on X (formerly Twitter): “I’m thrilled to welcome the EU’s renewal of its two adequacy decisions for the UK. We remain committed to enabling secure, trusted data flows between the UK and EU to support growth, innovation and security.”
The renewal reflects a judgment that continuity and trust in cross-border data governance remain strategically more valuable than short-term regulatory divergence.
The renewed decisions are subject to periodic review and include a six-year sunset clause running until 27 December 2031, with the possibility of subsequent renewal. The Commission, working with representatives of the European Data Protection Board, will review the functioning of the adequacy decisions after a period of four years. This underscores that adequacy remains conditional and subject to ongoing monitoring, and it requires stakeholders to stay alert to future reviews, regulatory divergence and legislative reform. Any significant departure from current standards could influence the Commission’s ongoing adequacy assessment. The decisions therefore represent continued alignment rather than a permanent guarantee.
Even so, the outcome is positive: Brussels has confirmed that the UK continues to meet the required standard. For organisations operating across the EU–UK digital economy, the result provides welcome and much-needed stability.
Karen Mc Cullagh, January 2026