Extension of UK adequacy: The European Data Protection Board adopts the European Commission’s decision

Earlier this year, the European Commission adopted an extension of the two 2021 adequacy decisions with the UK for a period of six months, until 27 December 2025. It was hoped that this would allow the continued free flow of personal data from the EU to the UK and time for the legislative process of the Data (Use and Access) Bill to conclude. Once the DUA Bill had been passed into UK law, the Commission would assess the UK’s new legal framework and decide on whether it provides an adequate level of protection for personal data.

The European Data Protection Board (EDPB) has recently adopted an opinion which recognises the necessity of a six-month extension to the validity of the UK adequacy decisions under the GDPR and the Law Enforcement Directive (LED), as proposed by the European Commission.

What does the EDPB opinion mean?

The opinion recognises the necessity of a time-limited extension, as it will give the Commission the necessary time to assess the adequacy of the data protection provided by the UK regime when the DUA Bill has been passed into law in the UK. The EDPB notes that such an extension is “exceptional” and caused by the ongoing legislative process in the UK but believes, in principle, that it should no longer be prolonged. Such a decision seems sensible in the circumstances, particularly where the DUA Bill is awaiting final approval by the House of Commons.

Current status of the DUA Bill

The DUA Bill has recently been subject to a Parliamentary “ping pong” with it being subject to report stage and third reading in the House of Commons on 7 May 2025. Following some changes made, it was passed to the House of Lords to consider these changes [Please see our previous article on these changes]

Members of the House of Lords considered the DUA Bill and proposed new clauses to require UK AI developers and holders of their data, to:

• Provide copyright owners with information regarding the text and data used in the pre-training, training, and fine-tuning and retrieval-augmented generation in their AI models, or any other data input to their AI models, and to provide a mechanism to enable copyright holders to identify individual works that have been used for these purposes.
• Disclosable information about the identity of any bots that have been used to make their AI models available, including:
  • their names
  • the parties legally responsible for them; and

  • the purposes for which they have each been used.

Since these proposals, the Bill has now been returned to the House of Commons, which will consider the House of Lords’ amendments. It is hoped we then receive a decision on these proposals shortly after the House of Lords sitting on 19 May 2025.

What does the extension of the adequacy mean for organisations?

Currently, the UK data protection rules that were considered to be adequate in 2021 will remain in place and continue to apply to personal data transferred from the EU to the UK so the current regime remains for now.

However, once the DUA Bill becomes law, the European Commission will assess the UK’s adequacy which is anticipated to take place nearer the end of this year, prior to the current adequacy decision expiring at the end of December 2025. Such a decision could impact how freely the UK processes personal data to other EEA countries, however given the history of how robust the UK’s data protection regime has been to date, it is hoped that the UK is found to have adequate data protection mechanisms in place.

Where we are seeing an increase in the use of AI, it will be critical to consider how such regulations and protections of personal data processed by AI have been legislated for organisations to then consider if they be required to have additional safeguards or checks in relation to such data.

For now, the passing of the DUA Bill is one to watch and we will report further on such impacts of this Bill once it becomes law. In the meantime, if you are using AI as part of your processes and tasks, we would suggest considering if such activities are considered in your privacy notices and data protection policies. If not, it would be prudent to ensure that such activities are included in these documents as well as ensuring that these documents are up-to-date to account for all of your organisation’s processing activities.

If you require any advice on what the DUA Bill or adequacy decision will mean for your organisation or you need support with drafting or reviewing data protection policies or privacy notices, do not hesitate to contact our Data Protection lawyers who would be happy to help.