EDPB Backs Extension of UK Adequacy Decisions
Most changes to the U.K.'s data protection regime will ease data flows between the U.K. and EU, but some should be clarified and monitored, the European Data Protection Board (EDPB) said Monday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
EDPB published opinions on draft European Commission decisions to grant Britain adequacy under the GDPR and Law Enforcement Directive until 2031. The current adequacy decisions expire next month.
In its opinion on the U.K. GDPR, the board urged the EC to further analyze and monitor changes to the Retained EU Law (Revocation and Reform) Act 2023, particularly the provisions that remove EU law and legal principles from the U.K.'s framework.
The EDPB noted that the U.K. secretary of state has new powers to change the country's data protection framework through secondary regulations that require less parliamentary scrutiny. This change affects international data transfers, automated decision-making and ICO governance, the opinion said. The EC should "address possible risks of divergence by highlighting ... the areas which they intend to carefully monitor."
The EC should also monitor U.K. rules on transfers from Britain to third countries, the board said. The Data (Use and Access) Act 2025 introduced a new adequacy test, which requires the level of protection of a third country not to be materially lower than that provided to data subjects in the U.K., "but this test does not refer to the risk of government access, the existence of redress for individuals and the need for an independent supervisory authority."
In addition, the board called on the EC to monitor the U.K. government's "purported use" of technical capability notices to force companies to circumvent encryption.
Unlike the U.S. administration, the EU has "had a much more muted reaction to the U.K. Home Office's purported attempt to build a 'backdoor'" to Apple's end-to-end encrypted services (see Ref:2508190013]), IAPP Director of Research and Insights Joe Jones said in a statement emailed to Privacy Daily.
"The EDPB has broken cover and characterized the UK's demands of Apple as a 'significant development that merits attention,'" with the expectation that the EC will address it explicitly, Jones said.
It's also ironic, he added, that the EU continues to scrutinize the U.K.'s reformed data protection scheme while the EC is itself mulling whether and how to revise the GDPR "with proposals that might go further in departing from the status quo than the UK went.
The opinion on the Law Enforcement Directive, among other things, stressed that the U.K.'s more permissive approach to automated decision-making makes meaningful human review more important and asked the EC to monitor possible exemptions from people's right to obtain human intervention.