OPEN RIGHTS GROUP REACTION TO THE DRAFT UK ADEQUACY DECISION

On July 22, the European Commission published their Draft Adequacy Renewal for the UK adequacy decisions adopted under the EU GDPR and LED.

Open Rights Group recognises the importance that retaining an adequate level of protection of personal data has for the United Kingdom and its residents. We also recognise the UK adequacy determination as an important instrument to reinforce and root the United Kingdom relationship with the European Union on the democratic values of the rule of law and the protection of human dignity and rights.

Against this background, we welcome the retention of a sunset period in the UK adequacy decision, in recognition of the dubious commitment of the UK political leadership toward the values mentioned above. We also welcome the clear statement, included in the draft adequacy, on the non-negotiable nature of the UK membership of the European Convention of Human Rights and the Council of Europe Convention 108. Finally, we share the assessment that the APEC Cross-Border Privacy Rules (CBPR) system should not be relied upon by the United Kingdom, as this framework does not provide meaningful answers to disproportionate State surveillance and its impact on individuals’ right to privacy ad data protection.

Having regard of the above, in this analysis Open Rights Group want to draw the attention of all stakeholders to the shortcomings of the Commission’s assessment, and the risks it entails.

The legal analysis that underpins the draft UK adequacy renewal presents key deficiencies: it replicates most of UK government arguments at face value, despite the ample body of analysis and criticisms that has been developed by UK academia, experts and civil society over the course of the last five years. Further, key developments related to UK data protection law are missing.

Notwithstanding that the full extent of the weight of the changes to the UK data protection rulebook will take time to manifest, the Commission’s assessment severely underestimates the downward direction that the UK has been undergoing and the breadth for further divergence introduced by the Data (Use and Access) Act 2025. Further, Open Rights Group is particularly concerned that the monitoring and review mechanisms included in the draft are underwhelming, in face of the volatility introduced by delegated legislative powers, which could reshape key area of UK data protection law in as little as 28 days and without meaningful Parliamentary of public scrutiny.

Understating the significance of the issues at play does not reduce the risk of a judicial invalidation of the UK adequacy determination, nor it does help decision-makers in the United Kingdom or stakeholders on both side of the channel to understand and address the risk their decisions may entail. An invalidation of the UK adequacy decision would undermine key aspects of EU-UK relationships such as the Trade and Cooperation Agreement, the Windsor Framework and the UK participation to Horizon Europe. It would also kill any hope to further cooperation in Student and Youth mobility programmes. The stakes are high, and they require decisive action in order to protect adequacy.

In the pages below, we give a short summary concerning our legal analysis (available in full as an Annex) of impact of UK data protection developments on: fundamental rights; primacy of the UK GDPR; lawful grounds for processing; prohibition to process special category data; purpose limitation principle; safeguards around data processing for scientific research purposes; independence, role and enforcement track-record of the UK supervisory authority; scope for further divergence via delegated legislative powers. Particular focus is given on the shortcomings of blindspots of the draft UK adequacy decision.

Finally, we conclude with a set of recommendations on what could be changed to address these challenges.

SUMMARY OF ISSUES

1. Regulations 2023/1417 removed references to fundamental rights from UK data protection law.

The draft adequacy decision severely underestimates the impact of Regulations 2023/1417, which removes references to the right to fundamental rights under CFREU and replaces it with the convention rights under ECHR. This change narrows the applicability of “rights and freedoms of data subjects” to relationships between private parties. In turn, data subjects’ rights and interests are bound to be underweighted against the private sector in several key assessments such as with conditions to process special category data, Article 23 restrictions, legitimate interests and DPIAs.

2. The REUL Act deleted the principle of supremacy of EU law from the UK GDPR.

The draft adequacy decision misunderstands the impact that the removal of supremacy of EU law introduced by the Retained EU Law Act had on UK data protection law. This change removed the hierarchical supra-ordination over domestic enactments of the UK GDPR, which it inherited from its former “supremacy of EU law” status. In turn, provisions enshrined in the UK Data Protection Act now prevail and override those of the UK GDPR. This effectively undermines the safeguards introduced by Article 23 of the UK GDPR, and is bound to have a profound impact on UK data protection law.

3. The DUA Act introduces the new lawful ground of “Recognised Legitimate Interests”, which legitimises data processing for an expansive list of purposes, even against an overriding right or interest of the data subjects.

The draft adequacy decision overestimates the safeguards around the new “Recognised Legitimate Interest” legal basis introduced by Section 70 of the Data (Use and Access) Act. The new legal ground for processing removes the “balancing test” for a number of “legitimate interests”, thus legitimising processing even when disproportionate against an overriding right or interest of the data subject. Contrary to the draft adequacy’s assessment, this legal basis can be relied upon for commercial purposes, and further purposes of a commercial nature could be added in the future via rule-making powers.

4. The DUA Act introduces a new rule-making power that can be used to restrict the definition of special category data and reduce legal safeguards.

Contrary to the assessment of the draft adequacy decision, the new rule-making power introduced by Section 74 of the Data (Use and Access) Act do not seem to negate the power of the Secretary of State to restrict the scope of the prohibition for the processing of special category data. This could be achieved by adding a subgroup of an existing definition of special category data and then lift or amend prohibitions for this new subgroup.

5. The DUA Act introduces a new, expansive exemption from the purpose limitation principle, which legitimises further processing without regard of the original purpose data was collected for.

The draft adequacy decision does not address several, important aspects related to the new list of purposes for which “processing to be treated as compatible with original purpose” introduced by Section 71 of the Data (Use and Access) Act. This list effectively introduces new restrictions to the purpose limitation principle, but without implementing any of the safeguards required by Article 23 of the UK GDPR. Contrary to the draft adequacy’s assessment, this legal basis can be relied upon for commercial purposes, and further purposes of a commercial nature could be added in the future via rule-making powers. In turn, further processing under this list risks being considered lawful even if it violates “the essence of the fundamental rights and freedoms” and cannot be considered necessary and proportionate in a democratic society.

6. The DUA Act introduces several changes to the rules governing data processing for scientific purposes, leaving scope for abuse for commercial interests.

The draft adequacy decision does not address the heightened scope for abuse opened by the new definition of scientific research, the new notion of purposeless consent and the new exemption from the requirement to notify data subjects introduced by Sections 67, 68, and 77 of the Data (Use and Access) Act. These could be used to pursue commercial activities under the guise of scientific research and legitimise mass data scraping while leaving individuals unaware that their data is being processed. Further, the draft adequacy decision does not address the interplay between these provisions and the list of processing to be treated as compatible with original purposes (Supra, §5), which includes “Making a disclosure of personal data for Research, Archiving or Statistical Purposes”.

7. The DUA Act gives the UK government the power to allow the onward transfer of personal data to third countries even in the absence of European Essential Guarantees.

Contrary to the assessment of the draft adequacy decision, Schedule 7(4) of the Data (Use and Access) Act would allow the UK government to allow onward transfers to a third country without considering the existence of key essential guarantees, including: the impact of law enforcement and national security access to personal data; the independence of the data protection authority; and the availability of a judicial redress for the individual in the country of destination. Further, the UK government is given wide discretion to authorise these regulation for “any matter [they] consider relevant, including the desirability of data transfers”.

8. The DUA Act allows the onward transfer of personal data to third countries on the basis of additional safeguards that do not ensure the availability of enforceable data subject rights and effective legal remedies.

Contrary to the assessment of the draft adequacy decision, Schedule 7(6) of the Data (Use and Access) Act only requires data exporters to act “reasonably and proportionately” when assessing the level of protection provided by the safeguards they rely upon for the onward transfer of personal data. In turn, data transfers that do not provide enforceable rights and effective remedies could still be considered subject to appropriate safeguards under UK law, insofar the data exporter can demonstrate that they acted “reasonably and proportionately”.

9. The DUA Act widens the scope for the UK government to interfere with the objective and impartial functioning of the UK supervisory authority, further eroding the independence of an already compromised regulatory authority.

The draft adequacy decision does not reflect the significance of the changes introduced by Schedule 14 of the Data (Use and Access) Act, and their impact on the real-world dynamics which have engaged with the Information Commissioner’s Office (ICO) and its functioning in the last four years. The act restructures the ICO into a corporate body, with powers for the government to appoint, dismiss, change salary and allowances of, and sometimes remove, its members.

Furthermore, safeguards that should prevent the removal of members of regulatory authorities for political reasons have already proven to be ineffective, and the threat of dismissal has already been leveraged by the UK government to obtain various commitments from the ICO and other independent regulators in relation to the discharge of their functions. Likewise, the appointment process of the Information Commissioner has already shown a high degree of politicisation, with evidence pointing toward Ministers being able to leverage the process to influence the functioning of the ICO.

10. The DUA Act dilutes the role of the UK supervisory authority, shifting focus away from regulatory enforcement and data subjects rights toward data controllers and extra-legal considerations.

Contrary to the assessment of the draft adequacy decision, Section 90 of the Data (Use and Access) Act introduces a new principal objective and secondary duties that prevail against the role enshrined in article 51 of the UK GDPR. This new statutory framework introduces several new interests and extra-legal considerations amongst which the rights of data subjects are given no particular primacy and could get lost.

11. The performance of the UK supervisory authority is already showing a severe downward trajectory

The assessment of the draft adequacy decision does not capture an ongoing, severe drop in data protection regulatory activity by the ICO, which points strongly away from rather than towards regular and concrete regulatory action.

12. Review mechanisms envisioned by the draft UK adequacy decision will struggle to effectively monitor relevant developments in UK data protection law, exposing EU-UK cross-border data transfers to heighten legal uncertainty.

While the full extent of the legal developments the UK had undergone over the past four years will take time to manifest, the scope for divergence is substantial, and it is at least dubious that UK data protection law still provide an “essentially equivalent level of protection” to the EU. Further, the DUA Act has introduced wide-ranging delegated legislative powers that the government can use to promote further divergence in key aspects of UK data protection law such as legality and purpose limitation, the prohibition over the processing of special category data, safeguards around automated decision-making and research, and International Data Transfers.

Changes introduced via delegated legislative power would become law within 28 or 40 days, giving little time for stakeholders to assess their impact or react to such developments. Lacking a mechanism that can review and react to these changes in a timely manner, the risk of these powers being used in a way that is incompatible with the continuation of the UK adequacy decision is substantial.

CONCLUSION: BOLD MEASURES ARE NEEDED TO FUTURE PROOF UK ADEQUACY

With the passage of the Data (Use and Access) Act 2025, the UK government has failed to address long-standing concerns with its domestic data protection framework, and further lowered the level of protection to personal data afforded in the UK. This combination significantly increases the exposure to a judicial challenge for the UK adequacy decisions under the GDPR and LED, if these were renewed by the European Commission in the form currently envisioned in the Draft UK adequacy decision.

This state of affairs does not only constitute a substantial risk in the short term, but it sets the United Kingdom on a path that will likely prove to be unsustainable in the long term. This is not, however, a determined outcome. The United Kingdom has come a long way after Brexit and, outside the domain of tech policy, the need to pursue regulatory alignment with the European Union is now widely accepted. Being transparent about the trade-offs that pursuing regulatory divergence would have entailed for cross-border trade has been a key driver to this rapprochement, and the European Union needs to replicate this behaviour in the digital sphere if they want to work toward achieving the same, mutually beneficial outcome.

Having regard of the above, Open Rights Group recommends the following measures:

Cross-border regulatory dialogue to address outstanding concerns. Delegated legislative powers, while problematic, also provide the means to reverse the most outstanding issues introduced by the DUA Act. Likewise, the United Kingdom is a member of the ECHR and a signatory of Modernised Convention 108+, although it has not ratified it yet. The European Union should consider establishing a firm and transparent dialogue concerning the issues at stake, and how UK decision maker can leverage international instruments and newly established delegated legislative powers to address these concerns and further rather than undermine cross-border relationships.

Enhancing the monitoring of legal and practical developments concerning UK data protection law. The full extent of the changes introduced by legislative interventions in the UK will take time to manifest. Likewise, changes to fundamental principles and rights can be introduced via delegated legislative powers, with minimal public debate and as soon as within 28 days from publication. Ensuring a more fluid and timely exchange of views with UK independent stakeholders, such as academia, experts and civil society, will be necessary to allow EU institutions to proactively react to these developments, and ensure that concerns are discussed publicly and before they become a done deed.

Establishing a mechanism to introduce functional separation in specific domains, shielding EU data from UK data protection law. This would disincentivise further divergence from EU data protection law, and provide an emergency measure that can prevent the UK adequacy decision to fall as a whole in the face of negative developments in UK law. The extent of the damage done by the DUA Act already warrants to explore the implementation of such a mechanism in the fields of scientific research and law enforcement data sharing.