European Union: European Data Protection Board issued opinion on draft implementing decision on adequate protection of personal data by United Kingdom

On 16 October 2025, the European Data Protection Board (EDPB) issued the opinion 26/2025 on the European Commission draft implementing decision pursuant to Article 45(2) of Regulation (EU) 2016/679 on the adequate protection of personal data by the United Kingdom (UK). The European Commission’s draft decision extends the validity of the previous adequacy decision adopted on 28 June 2021 until December 2031, following a temporary extension under Decision (EU) 2025/1225. The EDPB assessed the adequacy of the UK legal framework in light of recent developments, including the Data (Use and Access) Act 2025, the Retained EU Law (Revocation and Reform) Act 2023 (REUL Act), and the Investigatory Powers Amendment Act 2024. The EDPB notes that most changes to the UK data protection framework aim to clarify and facilitate compliance, but some aspects of the draft adequacy decision need further clarification. It recommends the European Commission closely analyse and monitor the REUL Act 2023, particularly the removal of EU law primacy and direct application of EU law principles. The EDPB noted that the new powers granted to the UK Secretary of State via secondary regulations may reduce parliamentary oversight over areas such as international transfers, automated decision-making, and ICO governance, and recommended monitoring of potential divergences. The EDPB also called for detailed assessment and monitoring of UK rules on data transfers to third countries under the Data (Use and Access) Act, noting gaps regarding government access, individual redress, and independent supervision. It stresses concern over the UK Government’s use of Technical Capability Notices, which could undermine encryption and data security. Further, the EDPB advised monitoring of changes to the ICO’s structure and corrective powers, while acknowledging the ICO’s transparency and availability of enforcement data.