Search

How can we help?

Icon

Extension of UK adequacy: The European Data Protection Board adopts the European Commission’s decision

Earlier this year, the European Commission adopted an extension of the two 2021 adequacy decisions with the UK for a period of six months, until 27 December 2025. It was hoped that this would allow the continued free flow of personal data from the EU to the UK and time for the legislative process of the Data (Use and Access) Bill to conclude. Once the DUA Bill had been passed into UK law, the Commission would assess the UK’s new legal framework and decide on whether it provides an adequate level of protection for personal data.

The European Data Protection Board (EDPB) has recently adopted an opinion which recognises the necessity of a six-month extension to the validity of the UK adequacy decisions under the GDPR and the Law Enforcement Directive (LED), as proposed by the European Commission.

What does the EDPB opinion mean?

The opinion recognises the necessity of a time-limited extension, as it will give the Commission the necessary time to assess the adequacy of the data protection provided by the UK regime when the DUA Bill has been passed into law in the UK. The EDPB notes that such an extension is “exceptional” and caused by the ongoing legislative process in the UK but believes, in principle, that it should no longer be prolonged. Such a decision seems sensible in the circumstances, particularly where the DUA Bill is awaiting final approval by the House of Commons.

Current status of the DUA Bill

The DUA Bill has recently been subject to a Parliamentary “ping pong” with it being subject to report stage and third reading in the House of Commons on 7 May 2025. Following some changes made, it was passed to the House of Lords to consider these changes [Please see our previous article on these changes]

Members of the House of Lords considered the DUA Bill and proposed new clauses to require UK AI developers and holders of their data, to:

  • Provide copyright owners with information regarding the text and data used in the pre-training, training, and fine-tuning and retrieval-augmented generation in their AI models, or any other data input to their AI models, and to provide a mechanism to enable copyright holders to identify individual works that have been used for these purposes.
  • Disclosable information about the identity of any bots that have been used to make their AI models available, including:
    • their names
    • the parties legally responsible for them; and

    • the purposes for which they have each been used.

Since these proposals, the Bill has now been returned to the House of Commons, which will consider the House of Lords’ amendments. It is hoped we then receive a decision on these proposals shortly after the House of Lords sitting on 19 May 2025.

Melanie Pimenta

Associate

View profile

+44 118 960 4653

The European Data Protection Board (EDPB) has recently adopted an opinion which recognises the necessity of a six-month extension to the validity of the UK adequacy decisions under the GDPR and the Law Enforcement Directive (LED), as proposed by the European Commission.

What does the extension of the adequacy mean for organisations?

Currently, the UK data protection rules that were considered to be adequate in 2021 will remain in place and continue to apply to personal data transferred from the EU to the UK so the current regime remains for now.

However, once the DUA Bill becomes law, the European Commission will assess the UK’s adequacy which is anticipated to take place nearer the end of this year, prior to the current adequacy decision expiring at the end of December 2025. Such a decision could impact how freely the UK processes personal data to other EEA countries, however given the history of how robust the UK’s data protection regime has been to date, it is hoped that the UK is found to have adequate data protection mechanisms in place.

Where we are seeing an increase in the use of AI, it will be critical to consider how such regulations and protections of personal data processed by AI have been legislated for organisations to then consider if they be required to have additional safeguards or checks in relation to such data.

For now, the passing of the DUA Bill is one to watch and we will report further on such impacts of this Bill once it becomes law. In the meantime, if you are using AI as part of your processes and tasks, we would suggest considering if such activities are considered in your privacy notices and data protection policies. If not, it would be prudent to ensure that such activities are included in these documents as well as ensuring that these documents are up-to-date to account for all of your organisation’s processing activities.

If you require any advice on what the DUA Bill or adequacy decision will mean for your organisation or you need support with drafting or reviewing data protection policies or privacy notices, do not hesitate to contact our Data Protection lawyers who would be happy to help.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Melanie Pimenta

Associate

View profile

+44 118 960 4653

About this article

Read, listen and watch our latest insights

art
  • 01 July 2025
  • Privacy and Data Protection

Data protection compliance: tricky issues for employers

This article highlights key issues organisations may face when processing personal data and stresses the importance of a proactive approach. It also outlines tailored training packages to support compliance and build internal expertise.

art
  • 20 June 2025
  • Privacy and Data Protection

Data Protection reform receives Royal Assent: What is the Data (Use and Access) Act 2025 (DUAA) and what it means for your business

The UK’s data protection framework is about to undergo its most significant change since the UK GDPR came into force. After months of parliamentary debate, the Data (Use and Access) Act 2025 (‘DUAA’) has successfully received Royal Assent.

Pub
  • 16 June 2025
  • Privacy and Data Protection

WhatsApp in the workplace: Is it legally safe?

In this podcast, Lucy White and Monica Mastropasqua, members of the Data Protection team at Clarkslegal, will address frequently asked questions from clients regarding the use of WhatsApp at work.

art
  • 13 June 2025
  • Employment

Human Resources – A Shift Towards artificial intelligence?

On 6 May 2025, the SRA authorised the first law firm providing legal services through artificial intelligence. Garfield.Law will provide an AI-powered tool which can assist businesses with the small claims court process, to aid in recovering unpaid debts.

art
  • 04 June 2025
  • Privacy and Data Protection

Decrypting the ICO’s Draft Updated Guidance On Encryption

Where data breaches are easily achieved by human error, encryption not only offers a secure way of sending personal data, but also provides another layer of protection if a data breach was to occur.

art
  • 21 May 2025
  • Privacy and Data Protection

ICO investigating online platforms and the importance of having a good privacy notice

The ICO has recently reported that it is investigating how social media and video sharing platforms use UK children’s personal information.