European Commission Indicates That the UK Remains Adequate Following the Introduction of the Data (Use and Access) Act 2025

The European Commission (EC) has indicated, by publishing its draft adequacy decision of July 22, 2025 (Draft Adequacy Decision), that the level of protection for personal data ensured by the United Kingdom (UK) remains essentially equivalent to European standards, following the UK’s adoption of the Data (Use and Access) Act 2025 (DUAA) on June 19, 2025. This development bodes well for the renewal of the EC’s UK adequacy decision, which is due to expire on December 27, 2025. The UK adequacy decision permits the free flow of personal data to continue from European Member States to the UK, following Brexit.

Absent the decision, European businesses wishing to share personal data with those in the UK, whether group companies, trading partners, or service providers, would have to implement an appropriate safeguard (such as standard contractual clauses) to ensure personal data remains sufficiently protected, or cease sharing such data altogether.

Background

The General Data Protection Regulation 2016/679 (GDPR) prohibits the transfer of personal data to third countries that do not ensure an adequate level of protection for personal data. On leaving the European Union on January 31, 2020, the UK became such a third country, to which the transfer of personal data would ordinarily be prohibited. However, to enable the free flow of personal data to continue from the EU to the UK, the EC issued an adequacy finding on June 28, 2021. The adequacy finding was due to expire on June 27, 2025, but was extended to December 27, 2025 in order to enable the EC to assess the impact of the DUAA on UK data protection standards.

The DUAA amends the UK GDPR, the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications (EC Directive) Regulations 2003, however the changes are subtle refinements rather than a radical overhaul. The DUAA is the culmination of a number of attempts at UK data protection reform, initiated by the previous government with the Data Protection and Digital Information Bill (DPDI). The changes the DPDI would have introduced were more radical and were perceived by the EC as a significant divergence from the data protection standards of the GDPR. The EC made it clear that if UK data protection standards were to deviate from those of the GDPR, it could revoke or refuse to renew the UK adequacy decision. In practice, this would have presented a compliance challenge to European businesses that shared data with the UK, which would have had to implement appropriate safeguards to enable the transfer, such as the standard contractual clauses (SCCs) or binding corporate rules (BCR).

The Draft Adequacy Decision considers the impact of the changes to the UK data protection landscape that the DUAA makes. It concludes that the UK GDPR and DPA 2018, as amended by DUAA, continue to ensure a level of protection for personal data transferred from the EU that is essentially equivalent to that guaranteed by the GDPR. The remaining steps to be taken prior to the Draft Adequacy Decision’s adoption are that the European Data Protection Board (EDPB) must issue an opinion, the EC must obtain approval from a committee composed of representatives of the EU Member States, and the decision must pass the scrutiny of the European Parliament. Subject to successfully negotiating these stages, the Draft Adequacy Decision will apply for a period of six years from its entry into force, i.e., until December 27, 2031, after which time it may be renewed for a further period of four years.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.