Article

EPRS publishes paper on potential challenges to U.K. data adequacy decisions

EPRS publishes paper on potential challenges to U.K. data adequacy decisions
Published Date
Mar 26 2025
Related people
On March 7, 2025, the European Parliamentary Research Service (EPRS) published a paper outlining the challenges to U.K. data adequacy and ongoing national legislative reforms that could affect the renewal of the two existing adequacy decisions for the U.K. 

The U.K. adequacy decisions were originally due to expire on June 27, 2025, unless the European Commission found that the U.K. continues to maintain an 'essentially equivalent' level of data protection to that of the EU. The U.K. adequacy decisions were, subsequently, both granted a six-month extension until December 27, 2025.

The EPRS highlighted the following provisions under the proposed Data (Use and Access) Bill (introduced to Parliament in October 2024) as potentially threatening the renewal of the U.K. adequacy decisions:

  • The removal of protections and safeguards relating to automated decision-making;
  • The notable reduction of transparency obligations, particularly relating to AI data;
  • Granting undue powers to the Secretary of State to override safeguards; and 
  • The reduction of accountability relating to how data is shared in respect of law enforcement and other public purposes. 

The EPRS also summarised concerns expressed by digital rights organisations, academics and the tech industry concerning the Investigatory Powers (Amendment) Act 2024. These concerns relate to:

  • The introduction of a loosely defined concept of ‘bulk personal data’, with ‘low or no reasonable expectation of privacy’, which could be retained by intelligence services with categorical (rather than specific) judicial approval;
  • The exculpation of civil servants from the offence of ‘unlawfully obtaining communications data’ where the civil servant obtained the data with ‘lawful authority’ as the data had previously been made public;
  • Granting power to the Secretary of State to require telecommunications operators to notify service and product changes that could, if approved, hinder privacy and security improvements to facilitate surveillance operations; and
  • The requirement for recipients of data retention, national security, or technical capability notices to continue providing intelligence assistance, even in cases passed back to the Secretary of State for review (but where access was granted before issuance of the notice).

The EPRS paper is available here

 

Related capabilities