Europe warns of threat to adequacy agreement

LIBE committee raises concerns about Data Protection and Digital Information Bill to UK government and European Commission.

The Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) has written to the Chair of the European Committee in the House of Lords to warn that “UK divergence from EU data standards, [is] putting the validity of the adequacy findings into question”. The Committee notes that it has been closely following the progress of data reform in the UK, as both adequacy agreements with the EU “contain sunset clauses, and thus will automatically expire four years after their entry into force”.

The key areas of concern noted by the LIBE Committee are:

  • Change to the definition of personal data
    The Committee notes that: “the Bill modifies the concept of “personal data” that is at the heart of the EU data protection regime”.
  • Threats to the independence of the Information Commissioner’s Office
    The letter notes that, “the Bill appears to further undermine, not merely the effectiveness, but beyond that the independence of the ICO”.
  • Data transfers
    The committee is “strongly concerned” that the Bill would lead to the “bypassing of EU rules on international transfers to countries or international organisations not deemed adequate under EU law”.

The letter also reminds the UK parliament of its human rights obligations and notes that, “any possible changes to the UK’s Human Rights Act or the UK’s departure from ECHR jurisprudence would, in the opinion of the LIBE Committee, have a negative impact on the UK adequacy”.

Mariano delli Santi, Legal and Policy Officer for Open Rights Group said:

“Losing the adequacy agreement would be a disaster for the UK economy. As the Bill enters its final stages, the Government needs to act urgently to protect our data protection rights.

The concerns of the LIBE committee highlights how the data rights of people in the UK will be reduced compared to people living in Europe. This should not be acceptable to our parliamentarians.”

Cost of breaching the adequacy agreement

After Brexit, the European Commission adopted two adequacy decisions on, which allowed for the free flow of personal data between the UK and the EU, without requiring additional safeguards. Losing such status would add significant red tape for UK businesses, disrupt trade, and would risk undermining important cooperation initiatives between the EU and the UK such as data sharing for research (Horizon), law enforcement (Prum) or immigration control purposes (Frontex). The cost to UK businesses has been estimated at £1-1.6 billion in legal fees alone.

Warning to the European Commission

The LIBE Committee previously wrote to the European Commissioner, Didier Reynders, in March, noting that the DPDI Bill still had “many controversial provisions unchanged (such as lack of independence of supervisory authority or the removal of the Biometrics and Surveillance Camera Commissioner, which oversees the sharing of DNA and fingerprint data under Prüm cooperation with the EU)”. Another MEP tabled a written question only some weeks before, asking if the Commission intends to revoke the UK adequacy decision. The European Commission have already confirmed that some changes of the DPDI Bill would raise concerns in a response to a written question and to the LIBE committee last year.

Civil society concerns

In July 2023, 28 civil society organisations wrote to the European Commission to raise concerns that to raise concerns that UK’s data protection reform would undermine European citizens’ data protection rights, thereby threatening the adequacy agreement.