EDPB calls for further monitoring as it adopts opinions on UK adequacy

The European Data Protection Board (EDPB) has adopted two opinions on the European Commission's draft decisions to extend the validity of the UK's adequacy status under the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) until December 2031. 

While not rejecting the proposed six-year extension, the EDPB recommends that the Commission continue to "monitor" various areas where the UK's data protection legal framework diverges from EU law.

In its GDPR opinion, the EDPB generally accepted that most changes to the UK's data protection framework aim to simplify compliance. However, the Board urged the Commission to further analyse and monitor several critical areas. These include the impact of changes under the Retained EU Law (Revocation and Reform) Act 2023 concerning the primacy and the application of the principles of EU law, the new powers granted to the Secretary of State to introduce changes via secondary legislation, and the potential for regulatory divergence, particularly concerning automated decision-making and international data transfers.

The EDPB also urged the Commission to assess the UK's new adequacy test for transfers to third countries, introduced by the Data (Use and Access) Act 2025 (DUA Act), which requires that the level of protection in the third country is not materially lower than that provided by the UK. The EDPB highlights that this does not explicitly reference key protections such as the risk of government access or individual redress mechanisms. Furthermore, the Board raised concerns about the reported use of Technical Capability Notices by the UK government to require companies to circumvent encryption, warning that this creates systemic vulnerabilities. Finally, the EDPB called for close monitoring of changes to the structure and corrective powers of the Information Commissioner's Office (ICO).

In its LED opinion, the EDPB welcomed the continuous alignment between the two legal frameworks but asked the Commission to complement its assessment of national security exemptions. These exemptions can waive many data protection principles for law enforcement and limit the ICO's enforcement and inspection powers. The Board also urged the Commission to clarify and monitor possible exemptions from individuals' right to obtain meaningful human review for automated decision-making.

The draft adequacy decisions will now be put forward for a vote at the Comitology Committee.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.