Privacy & Information Security Law Blog

On October 20, 2025, the European Data Protection Board (“EDPB”) adopted two opinions on the European Commission’s draft decisions to extend the validity of the UK’s adequacy status under the EU General Data Protection Regulation (“EU GDPR”) and the Law Enforcement Directive (“LED”) until December 2031. The existing decisions are set to expire on December 27, 2025. When considering the UK’s adequacy status, the European Commission and EDPB must take into consideration the recently passed UK Data (Use and Access) Act 2025 (see our previous blog for further details).

The EDPB expressed general approval of the UK’s continued efforts to mirror the EU’s data protection standards, noting that the majority of proposed amendments to the UK data protection regime are designed to enhance clarity and support compliance for both organizations and individuals. That said, the EDPB did highlight several areas which, in its view, require further examination and ongoing monitoring by the European Commission:

• International Data Transfers: The EDPB stated that the UK’s new adequacy test omits key elements previously considered essential, such as safeguards for government access, redress for individuals, and oversight by an independent supervisory authority. The EDPB recommends the European Commission further elaborate and closely observe the implementation and practical effects of these changes.
• Secretary of State’s New Powers: The UK Secretary of State now holds expanded authority to revise UK data protection rules via secondary legislation, potentially affecting areas such as international transfers, automated decision-making, and governance of the UK Information Commissioner’s Office (“ICO”). The EDPB calls for the European Commission to specify in the final decision which areas will be closely monitored to guard against divergence from EU standards.
• ICO Structure and Complaints Handling: The EDPB urged the European Commission to conduct a thorough assessment and ongoing monitoring of recent changes to the structure and governance of the ICO. This includes evaluating the rules for appointment and dismissal of board members, as well as the introduction of a new triage system for complaints handling. The EDPB praised the ICO for its transparency policy and availability of statistical and analytical data on enforcement activities.
• Changes to “Inherited” EU Law: The Retained EU Law (Revocation and Reform) Act 2023 removes the principle of EU law primacy and its direct application, including the right to privacy and data protection as derived from the Charter of Fundamental Rights. The EDPB urges the European Commission to provide a detailed assessment of these changes and their broader impact on the UK’s legal and data protection frameworks.
• Automated Decision-Making and Human Review: The EDPB stressed that the UK’s adoption of a more permissive stance on automated decision-making should be analyzed and monitored by the European Commission and urged the European Commission to consider the practical impacts of this change in its final assessment of the UK’s adequacy decisions.
• National Security and Law Enforcement Exemptions: The EDPB stated that it is essential that the European Commission carefully assess the extended national security exemptions under the law enforcement framework to ensure that such exemptions are necessary and genuinely intended to meet objectives of general interest recognized by the EU or to protect the rights and freedoms of others.
• Distinction Between Law Enforcement and National Security Processing: The EDPB highlighted the need for clear boundaries between processing for law enforcement and national security, to prevent legal frameworks from being stretched beyond their intended scope.

Read the press release. Read the draft opinion on the UK adequacy decision under the EU GDPR, and the draft opinion on the UK adequacy decision under the LED.