UK Data Adequacy: European Commission Signals Continuity Following DUAA Implementation

On 22 July 2025, the European Commission published a draft adequacy decision in which it determined that the UK continues to offer a level of data protection that is “essentially equivalent” to the EU standards. This follows the UK’s adoption of the Data (Use and Access) Act 2025 (the “DUAA”) on 19 June 2025, and signals positive momentum for the renewal of the UK’s adequacy status, currently set to expire on 27 December 2025.

The UK adequacy decision is critical for enabling the free flow of personal data from the EU to the UK. Without it, EU-based organisations would need to rely on alternative safeguards – such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) – to continue sharing data with UK entities, which can be administratively burdensome and legally complex.

Background and Assessment

Under the General Data Protection Regulation (“GDPR”), personal data transfers to third countries are prohibited unless those countries ensure an adequate level of protection (or other safeguards are implemented). As a result of Brexit, the UK became a third country on 31 January 2020. To maintain continuity, the Commission granted the UK adequacy status in June 2021, subject to a four-year sunset clause.

The implementation of the DUAA introduces some divergence between the EU and UK in certain areas of data protection law. For further details on the changes introduced by the DUAA, please see our previous article here.

The European Commission’s assessment of the UK’s data protection framework included a review of the impact of the DUAA. It concluded that the UK GDPR and the Data Protection Act 2018, as amended by DUAA, continues to ensure a level of protection for personal data transferred from the EU that is essentially equivalent to that guaranteed by the GDPR.

What happens next?

Before the Draft Adequacy Decision can be formally adopted, three procedural steps must be completed:

1. The European Commission will seek the formal but non-binding opinion of the European Data Protection Board.
2. A committee composed EU member states will review and vote on the UK’s adequacy proposal.
3. The European Parliament retains scrutiny rights to the decision to ensure there is democratic oversight. Although it cannot veto the adequacy decision outright, its oversight may shape timing or procedural detail.

While it is possible that the European Commission could ultimately determine that changes to the UK regime are necessary before adopting the UK adequacy decision, we consider it unlikely that the UK’s adequacy decision will be withdrawn. Even with the DUAA reforms, the UK GDPR remains more closely aligned with the EU GDPR than any other jurisdiction deemed to be adequate by the European Commission.

For businesses operating across the UK and EU, if the UK adequacy decision is renewed, this will mean further uninterrupted data flows for up to 6 more years (with the possibility of a further four-year extension) without the need for additional safeguards. 

For advice on the proposed changes to UK data protection laws and other changes introduced by the DUAA, please contact Martin Cook, Madelin Sinclair McAusland, Amanda Leiu, or another member of our Commercial & Technology team. 

This article was written by Mopé Akinyemi and Amanda Leiu.