When it split from the EU, the United Kingdom was quick to achieve data adequacy status due to taking the terms of the General Data Protection Regulation (GDPR) with it. That status might now be in jeopardy, however, as civil society organizations are pressing the European Commission to let the adequacy decision lapse due to data protection and privacy concerns.
The complaints are centered on a number of reforms and new initiatives that the UK government has in the works, such as mandating that all encryption have government-accessible backdoors and continual algorithmic monitoring of the bank accounts of benefits recipients. Some of these practices would require platforms and service providers to make changes that would allow the UK government to reach beyond national borders to invade the privacy of data subjects not under their jurisdiction.
Civil society complaints cite a mix of overbearing monitoring proposals and enforcement failures
The civil society complaints portray the UK government as simultaneously having an overbearing collection of surveillance laws yet failing to adequately enforce existing terms against existing violators.
The complaints are summarized in an open letter organized by European Digital Rights (EDRi), a privacy and human rights association composed of over 50 European NGOs that tend to focus on digital rights issues. The letter cites a troubling pattern of UK legislative developments that trace back to not long after the data adequacy decision was issued in June 2021.
The headline item is the UK Data (Use and Access) Bill, which has passed the House of Commons and the House of Lords and currently awaits Royal Assent before becoming law. The bill builds on and modifies the GDPR-based structure that UK data privacy law has made use of since the “Brexit” split, including some developments that could threaten its parity status with the actual GDPR. The items in question include sweeping new exemptions that allow law enforcement and government agencies to access personal data, loosening of regulations governing automated decision-making, weakening restrictions on data transfers to “third countries” that are otherwise considered inadequate by the EU, and increasing the possible ways in which the UK government would have power to interfere with the regular work of the UK Data Protection Authority.
EDRi also cites the UK Border Security, Asylum and Immigration Bill as a threat to data adequacy, which has passed the House of Commons and is currently before the House of Lords. The bill’s terms would broaden intelligence agency access to customs and border control data, and exempt law enforcement agencies from UK GDPR terms. It also cites the UK’s Public Authorities (Fraud, Error and Recovery) Bill, currently scheduled to go before the House of Lords for review, which would allow UK ministers to order that bank account information be made available without demonstrating suspicion of wrongdoing.
The civil society group also indicates that the UK ICO would likely become less independent under the terms of the UK Data Bill, which would give the UK government expanded ability to hire, dismiss and adjust the compensation of all of its board members. And though these recent bills would generally expand government power over ICO, the letter accuses its current enforcement practices of being lax and overly favorable to offenders. It notes that ICO’s own published statistics for 2024 reveal that the agency received 25,582 privacy complaints yet took regulatory action on just one, instead addressing most with actions not backed by force of law.
NGOs urge preemptive action on data adequacy threats
At this point, much of the civil society complaint is speculative about potential future violations. EDRi is urging preemptive action, however, noting that if all of these bills stay on track it is likely that the existing data adequacy decision will be challenged and struck down by the Court of Justice of the European Union (CJEU). The European Commission has previously warned the UK that if its data protection laws deviate too much from the terms of the GDPR, the decision could be revoked.
One existing law that presents a direct threat to data adequacy is the U.K. Investigatory Powers Act of 2016, colloquially called the “Snooper’s Charter” by some sources. The issue with this law has been its interpretation and application as of late, with the matter coming to a head in February when leaked reports indicate it had been invoked to order Apple to provide an encryption backdoor to give the government free access to iCloud backups. This would provide UK authorities with access not just to the encrypted storage of residents, but of Apple customers throughout the world. Apple responded by disabling its Advanced Data Protection feature for UK customers.
The UK data adequacy decision was slated to expire this month, but recently received a six-month extension approval from the EDPB. The civil society groups are calling for withdrawal of this extension if the UK government does not ensure an equivalent level of data protection and implement a transparent process of review of the privacy concerns that have been raised.
Dr. Kolochenko, CEO at ImmuniWeb, believes that there is very little chance of this actually happening: “Without delving into the intricacies and complexities of national security law of the UK and EU member states, it would be fair to say that, in many aspects, the current UK legislation provides an equal or even better protection for individuals compared to legislation of some European countries. In any case, if the European Commission decides to rescind the UK data adequacy decision, the EU shall rapidly prepare for a reciprocal answer. Worst, such precedent may cause a domino effect, leading to invalidation of adequacy decisions with other countries. This might eventually lead to a digital self-isolation of European businesses and economic hardship for both large and small companies. Therefore, and in view of the recent comments made by Mario Draghi about the downsides of GDPR, the non-renewal of the UK adequacy decision seems to be quite unlikely in the near future.”

