Adequacy, Equivalency and the Global Reach of GDPR

Cross-border transfers of personal data are the linchpin of modern economy and  are at the core of the GDPR framework. Among the mechanisms available to legitimise them, adequacy decisions stand out as the most comprehensive and  legally certain option for organisations to facilitate cross-border transfers of personal data (Article 45). They already existed under the Data Protection Directive (Directive 95/46/EC). As a matter of fact, the majority of the adequacy decisions in place were adopted before the GDPR. 

It is up to the EU Commission to decide whether a third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.The CJEU has clarified that third country must offer “essentially equivalent” fundamental rights and freedoms to those established by law in the EU. Thus, a cross-border transfer to an adequate third country does not require any specific authorisation.

The main elements considered by the EU Commission when analysing the existence of adequate level of protection are (Article 42(2)): 

• the rule of law, respect for human rights and fundamental freedoms, relevant legislation including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, and implementation of such legislation as well as effective administrative and judicial redress for the data subjects whose personal data are being transferred;
• the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject; and
• international commitments arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems related to data protection.

To this last point, it is worth highlighting Recital 105 of the GDPR, which expressively lists the Council of Europe Convention 108 and its Additional Protocol as factors that should be taken into account during level of protection assessment. After the assessment phase, the EU Commission proposes a draft of a decision, which is followed by consultation from the European Data Protection Board (EDPB) and an approval from representatives of EU countries. Following such procedure, the EU Commission may decide that a third country, a territory or one or more specified sectors within a third country (e.g. Canada and the US), or an international organisation (e.g. European Patent Organisation)  ensures an adequate level of protection by adopting an implementing decision. This decision will determine the territorial and sectoral scope of the adequacy decision as well as the periodic review mechanism of at least every 4 years. Overall, the Commission monitors legal development in the third countries that could affect the adequacy decision negatively leading to repeal, amend or suspend the decision. That is exactly what’s happening to the adequacy decision in the United Kingdom. 

It goes without saying that political interests are present in granting such decisions since the procedure involves political entities. The example par excellence is the two invalidated adequacy decisions granted to the US by the CJEU in the famous cases Schrems I and Schrems II. 

Finally, the adequacy decision can be linked to the strong extraterritoriality features presented by the GDPR, especially on its Article 3. Blume argues that the EU aimed with the GDPR to protect European citizens’ data and to establish a standard of privacy protection worldwide and this legislative innovation caused numerous businesses to seek business solutions and outreach to businesses set outside the EU.

This boosted the phenomena coined by Anu Bradford as “Brussels effect”, the adoption of rules and standards established in the EU by third countries through the process of ‘‘unilateral regulatory globalization’’. In this sense and in view of the inelasticity of data, Orla Lynskey explains that non-EU countries, due to conditions for the transfer of data imposed by the GDPR, do consider the European standards in their legal systems. However, as the EU Commission has argued, adequacy decisions do not require literal replication of the EU Law, but rather that foreign legal system ensures the required level of protection in terms of effective implementation, supervision and enforcement.  

United Kingdom: Adequacy on a Timer

In light of the approaching deadline for the renewal of the adequacy decision of the UK, the EU Commission released the two draft decision adequacy decisions in July 2025. The UK adequacy decisions adopted under the GDPR and data protection law enforcement directive (LED) in  June 2021 are to expire in December 2025. Originally, its expiration date was in June 2025, but it was extended for another 6 months until December 2025.

Sunset clauses are not typically included on adequacy decisions, which usually undergo systematic reviews at least every four years. However, concerns over the UK’s possible regulatory divergence after Brexit led to the inclusion of a sunset clause in the first adequacy and now again in the renewal. 

The reason for the technical extension was to allow adequacy assessment to be carried out on the basis of a stable legal framework following the introduction by Downing Street of the Data (Use and Access) Bill, introduced by Downing Street in October 2024, proposing amendments to the UK GDPR and Data Protection Act 2018. The bill, now Data (Use and Access) Act (DUAA), received the royal assent in June 2025. Nonetheless, this was not the only legislative changes since the adequacy decision of 2021 (e.g. Data Protection (Fundamental Rights and Freedoms) Amendment Regulations 2023).

In July of this year, the EU Commission released the draft of the adequacy decisions, renewing the decisions until 27 December 2031. The drafts declare that, despite the legislative developments, the assessment made in 2021 remains valid for the UK data protection framework. The tone of the adequacy decision would be different if the Data Protection and Digital Information Bill had thrived on British Parliament, which proposed a series of business-friendly amendments to the framework. 

The draft stresses that the DUAA has introduced limited amendments to UK data protection framework such as, inter alia, the rules on data processing for purposes of scientific research, the legal bases for data processing,  the rules relating to the purpose limitation principle, and the conditions for automated decision-making and the replacement of ICO by a new entity, the Information Commission (IC) as the independent British data protection supervisory authority. 

Following normal procedure, the EDPB released its opinions regarding the two drafts decisions. The EDPB has raised concerns about the new powers of the Secretary of State to introduce the framework changes, through secondary regulations with less parliamentary scrutiny,  to international transfers, automation decision-making and the governance of IC. The European Board strongly encouraged the EU Commission to deepen its assessments over the rules on data transfers from the UK as the new test for British regulations approving cross-border data transfer do not refer to the risk of government access, redress for individuals and the need for an independent supervisory authority. In addition, similar were the arguments presented on the opinion concerning the draft of the adequacy decision under LED.

Interestingly, the EDPB opened a small parenthesis due to the overlapping of frameworks regarding the data transfers regarding law enforcement from the EU to the UK and the US and from the UK to US under UK-US Cloud Agreement and EU-US Umbrella Agreement, which the European board stressed the need to improve the level of safeguards under this agreement As result, data transfers from the EU to providers in the UK could be subject to orders issued by the US law enforcement authorities. Thus, the need for attention over the application and adaptation of the safeguards agreed under the umbrella and inclusion of the UK-US Agreement under future assessment and reviews of the adequacy decisions. Furthermore, the EDPB acknowledged the assessment approach taken by the EU Commission focusing on the DUAA. However, it instigated the EU Commission to explicitly clarify that all elements listed in Article 45(2) of the GDPR were reviewed.

Autonomy, but Not a Break From Europe

The new found freedoms led the UK to seek alternatives to EU Standards in phenomena called active and passive regulatory divergence. In this context, the UK was granted Associate status to the Global Cross Border Privacy Rules (CBPRS) Forum, linked to the APEC. The CBPRs are an international, voluntary framework that helps organizations demonstrate strong data-protection practices when transferring personal information across borders. In this regard, both the EU Commission and the EDPB noted that CBPRs are not recognised by the EU as ensuring a sufficient level of protection to personal data and do not entail any facilitation of data transfers amongst members of the forum. 

However, as indicated on the draft of the adequacy decision, the UK is not seeking a complete overhaul of its data protection framework. The UK is an essential part of the European economy with a relevant data-heavy services industry and it is also subject to international obligations from the Trade and Cooperation Agreement (TCA), Convention 108, and the European Convention of Human Rights.

Suggested citation:

Elio Machado Neto, ‘The UK Adequacy Decision Under Review: Regulatory Divergence, Stability, and the Future of EU–UK Data Flows’ (Comparative Digital Law Blog, 11 December 2025) <https://lawandtech.ie/the-uk-adequacy-decision-under-review-regulatory-divergence-stability-and-the-future-of-eu-uk-data-flows>.

About the author:

Elio Machado Neto is an Associate at Zeidler Group and a European Master in Law, Data and Artificial Intelligence (EMILDAI) graduate. In addition, Elio is a co-editor of the Comparative Digital Law Blog.