European Commission approves data flows with UK for another six years

The European Commission (EC) has renewed a pair of rules that will allow data to continue flowing between the European Economic Area and the UK.

The adequacy decisions were agreed after the UK left the EU via "Brexit" in 2020 on the grounds that the UK legal framework for data protections were as good as those in Europe.

While that was welcome news for British companies dependent on the flow of data, the former government still complained that the decision should have been taken before the official Brexit withdrawal date.

That agreement ran out in June 2025, but was given a technical extension of six months to give the EC time to consider the impact of changes brought in via Labour's Data (Use and Access) Act.

This loosened up some data controls for research and charitable fundraising, while requiring companies to have a data protection complaints procedure.

The aim, said then technology secretary Peter Kyle, was to enable the government to make use of the "goldmine of data" it holds for policing, admin and more.

In particular, the EC was considering the impact of those changes on the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.

Six-year renewal

Now, the EC has announced that the adequacy decisions have been given another six years until 2031, with the possibility of renewal again, with the Commission and European Data Protection Board reviewing the system and any changes in four years.

"The decisions ensure that personal data can continue flowing freely and safely between the European Economic Area (EEA) and the United Kingdom, as the UK legal framework contains data protection safeguards that are essentially equivalent to those provided by the EU," the EC said in a statement.

The renewal means data will be able to continue to flow between the UK and Europe, avoiding serious disruption for businesses if that were to stop.

Adequacy agreements

The EC's first adequacy decision with a non-EU country following the introduction of GDPR was with Japan, coming into force in 2019, though the European body had similar agreements in place for other countries including Canada before the regulation was introduced.

Other countries with adequacy decisions in place include the US, Switzerland, Argentina, and Korea.

"The European Commission has the competence to determine, on the basis of the General Data Protection Regulation, whether a country or international organisation outside the EU ensures an adequate level of data protection," the EC explained.

"Following this, the Commission might initiate the process for the adoption of an adequacy decision, which allows the free flow of personal data from the EU and the European Economic Area (EEA) to a third country or international organisation without further obstacles."

For the UK renewal, a wide range of opinions were sought. "The adoption of the renewal decisions follows the European Data Protection Board's opinion and the Member States' green light in the so-called comitology procedure," the EC said in a statement, referring to a system that enables the EC to implement rules under the review of national representatives from member states.

The UK adequacy agreement was approved despite the changes introduced by the Data (Use and Access) Act introduced by the Labour government – which were more limited than a data overhaul initially planned by the last Conservative government that may not have been seen in such a positive light by the EC and member states.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.