European Commission renews UK data adequacy agreement, ensuring continued free flow of data | Computer Weekly

The European Commission has renewed its data adequacy agreement with the UK, guaranteeing free flow of data with the European Union (EU) for a further six years.

The agreement assures that the UK’s data protection framework is considered to have equivalent safeguards to the EU, based on two European regulations – the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED). The existing adequacy arrangement was due to expire on 27 December but will now continue until the same date in 2031.

Minister for digital government and data Ian Murray said in a post on X (formerly Twitter) that he was “thrilled” at the decision.

“I’m thrilled to welcome the EU’s renewal of its two adequacy decisions for the UK. We remain committed to enabling secure, trusted data flows between the UK and EU to support growth, innovation and security,” he wrote.

Henna Virkkunen, executive vice-president for tech sovereignty, security and democracy at the European Commission, said the renewal of data adequacy benefits businesses and citizens on both sides of the Channel.

“It ensures the free flow of personal data between the European Economic Area and the UK in full compliance with data protection rules while reducing costs and administrative burdens. This continuity allows European companies to keep sharing data seamlessly with their UK partners, supporting innovation, competitiveness and trusted digital cooperation.”

Data adequacy with the EU became a critical issue after the UK left the bloc, and the original 2021 agreement was based on the measures introduced by the Data Protection Act 2018 (DPA).

In June this year, the government amended parts of the UK’s data protection regime through the Data (Use and Access) Act, which aimed to make it easier for businesses and the public sector to share data, which the government claimed would ease bureaucracy and improve efficiency.

Several civil society groups wrote in June to Michael McGrath, European commissioner for democracy, justice, the rule of law and consumer protection, calling for the EU to rescind the UK’s data adequacy status, citing major concerns around the erosion of privacy and data rights and warning of “a substantive risk” that fresh UK adequacy decisions could be struck down by the European Court of Justice.

“Allowing third countries such as the UK to benefit from unrestricted personal data flows with the EU while simultaneously weakening legal safeguards at home does not only endanger the rights of people in the EU, it also undermines the credibility of the EU’s data protection framework, exposes EU businesses to unfair competition, and devalues the Union’s regulatory leadership on the global stage,” they wrote.

“The UK government’s proposed reforms and recent actions threaten to imperil the UK’s data and privacy protections. This status of affairs will fuel uncertainty and threaten individuals and businesses alike.”

There were also warnings in Parliament that police use of US-based hyperscale cloud providers for processing sensitive law enforcement data could put adequacy with the Law Enforcement Directive at risk.

In June 2024, Computer Weekly revealed that UK policing data uploaded to Microsoft cloud services is routinely sent offshore for some forms of processing, in an apparent breach of the LED.

During a debate in the House of Lords in March, Liberal Democrat peer Tim Clement-Jones highlighted how cloud service providers routinely processed data outside the UK, and were unable to provide contractual guarantees to policing bodies as required by Part Three of the DPA, which implements measures in the LED: “As a result, their use for law enforcement data processing is, on the face of it, not lawful,” he said.

To circumvent the lack of compliance with these transfer requirements, the government simply dropped them from the new data act.

“The government’s attempts to change the law highlight the issue and suggest that past processing on cloud service providers has not been in conformity with the UK GDPR and the DPA,” said Clement-Jones, at the time.

Commenting on the renewal of data adequacy, European commissioner McGrath said, “The UK is an important strategic partner for the European Union and the adequacy decisions form a central pillar of this partnership.

“By enabling the free flow of personal data, they underpin both commercial exchanges and cooperation in the fields of justice and law enforcement. Their renewal reflects the Commission’s assessment that the UK’s legal framework continues to provide robust safeguards for personal data that remain closely aligned with EU standards, including in the context of recent legislative developments.”