The European Commission has renewed its data adequacy agreement with the UKguaranteeing the free flow of data with the European Union (EU) for the next six years.
The agreement ensures that the UK's data protection framework is considered to provide equivalent safeguards to the EU, based on two European rules – the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED). The existing adequacy agreement was due to expire on December 27, but will now remain in effect until the same date in 2031.
This was announced by Minister for Digital Government and Data Ian Murray. post on X (formerly Twitter) that he was “delighted” with the decision.
“I am very pleased to welcome the EU's renewal of its two adequacy decisions for the UK. We remain committed to ensuring secure, reliable data flows between the UK and the EU to support growth, innovation and security,” he wrote.
Henna Virkkunen, executive vice-president for technology sovereignty, security and democracy at the European Commission, said renewed data adequacy benefits businesses and citizens on both sides of the English Channel.
“This ensures the free flow of personal data between the European Economic Area and the UK in full compliance with data protection rules, while reducing costs and administrative burdens. This continuity allows European businesses to continue to seamlessly share data with their UK partners, supporting innovation, competitiveness and robust digital collaboration.”
Data adequacy with the EU has become a critical issue after the UK left the bloc and the original 2021 agreement was based on measures introduced by the Data Protection Act 2018 (DPA).
In June this year, the government amended parts of the UK data protection regime through Data (Use and Access) Actwhich aimed to make it easier for businesses and the public sector to share data, which the government said would ease bureaucracy and increase efficiency.
In June, several civil society groups wrote to Michael McGrath, the European Commissioner for Democracy, Justice, Rule of Law and Consumer Protection, calling on the EU to overturn the UK's data adequacy status, citing serious concerns about the erosion of privacy and data rights and warning of a “significant risk” that the UK's new data adequacy decisions could be overturned by the European Court of Justice.
“Allowing third countries such as the UK to benefit from unrestricted flows of personal data with the EU, while weakening legal safeguards at home, not only jeopardizes the rights of people in the EU, but also undermines confidence in the EU data protection system, exposes EU businesses to unfair competition and devalues EU regulatory leadership on the global stage,” they wrote.
“The UK Government's proposed reforms and recent actions threaten to jeopardize data protection and privacy in the UK. This state of affairs will increase uncertainty and threaten both individuals and businesses.”
There were also warnings in Parliament that police use of US hyperscale cloud providers to process sensitive law enforcement data could jeopardize compliance with the Law Enforcement Directive.
In June 2024 Computer Weekly reported that UK police data uploaded to Microsoft cloud services is regularly sent abroad. for some forms of processing – in case of obvious disruption of the LED.
During a House of Lords debate in March, fellow Lib Dem Tim Clement-Jones highlighted how cloud service providers routinely processed data outside the UKand failed to provide contractual guarantees to police agencies as required by Part Three of the DPA, which implements the measures in LED: “As a result, their use for the processing of law enforcement data is prima facie unlawful,” he said.
To get around the failure to comply with these data transfer requirements, the government simply excluded them from the new data law.
“The government’s attempts to change the law highlight the problem and suggest that past data processing by cloud service providers did not comply with the UK GDPR and DPA,” Clement-Jones said at the time.
Commenting on the renewal of data adequacy, European Commissioner McGrath said: “The UK is an important strategic partner of the European Union and adequacy decisions form a central pillar of this partnership.
“By ensuring the free flow of personal data, they support both commercial exchange and justice and law enforcement cooperation. Their extension reflects the Commission's assessment that the UK legal framework continues to provide strong protection for personal data, which remains closely aligned with EU standards, including in the context of recent legislative changes.”
