European Fee ought to rescind UK knowledge adequacy
Seven civil society organisations are calling on European Commissioner Michael McGrath to rescind the UK’s knowledge adequacy standing, citing main issues across the nation’s ongoing erosion of privateness and knowledge rights.
Writing to McGrath in an open letter dated 3 June 2025, the organisations argue that present knowledge dealing with practices within the UK – together with the federal government’s forthcoming knowledge reforms – symbolize a major divergence from European knowledge safety requirements.
Expressing their “deep issues,” the civil society teams – together with European Information Rights (EDRi), Entry Now, Statewatch, and Privateness Worldwide – stated that because the UK was granted adequacy by the European Fee (EC) in June 2021, “the UK has seen a sustained and systemic erosion of privateness and knowledge safety”.
Noting that straying from the requirements set out within the European Union’s (EU) Basic Information Safety Regulation (GDPR) and Regulation Enforcement Directive (LED) has already undermined the basic rights of European residents, the teams stated “this degradation can be furthered” by the UK authorities’s proposed Information Use and Entry Invoice (DUAB).
“Permitting third international locations such because the UK to profit from unrestricted private knowledge flows with the EU whereas concurrently weakening authorized safeguards at house doesn’t solely endanger the rights of individuals within the EU, it additionally undermines the credibility of the EU’s knowledge safety framework, exposes EU companies to unfair competitors, and devalues the Union’s regulatory management on the worldwide stage,” they wrote.
“The UK authorities’s proposed reforms and up to date actions threaten to imperil the UK’s knowledge and privateness protections. This standing of affairs will gas uncertainty and threaten people and companies alike.”
They added that with out decisive motion from the EC, there may be “a substantive threat” that contemporary UK adequacy selections might be struck down by the Court docket of Justice of the European Union (CJEU).
In exiting the EU, the UK turned a “third nation” below the bloc’s guidelines, which suggests the EC should periodically assess whether or not the nation’s knowledge safety framework and practices present an basically equal stage of safety for EU residents’ knowledge.
After it initially granted the UK separate adequacy standing’ below each the GDPR and LED, the EC was clear in warning that the choice might but be revoked if future knowledge safety legal guidelines diverge considerably from these in Europe.
Problematic knowledge safety practices
Commenting on the DUAB proposals – which “would symbolize a scientific weakening of privateness and knowledge safety safeguards” – the civil society teams famous the invoice will diminish the best to not be topic to automated decision-making; delegate “intensive” legislative energy to UK ministers that will permit them to avoid Parliamentary scrutiny when making selections across the legality of information processing or transfers; and in any other case grant authorities and legislation enforcement companies “expansive entry” to private knowledge.
They added that the DUAB would additionally permit organisations to switch knowledge to jurisdictions with clearly decrease knowledge safety requirements, probably turning the UK right into a “knowledge laundering hub”.
The teams additionally highlighted additional legislative initiatives with adverse knowledge safety implications outdoors of the DUAB. This contains the forthcoming Border Safety, Asylum and Immigration Invoice, which they argue is “incompatible with the basic rules” of the GDPR and LED as a result of it will topic the info of European residents to UK intelligence providers and counter-terrorism laws.
Additionally they famous how the upcoming Fraud Invoice would place tens of millions of profit claimant’s financial institution accounts below fixed algorithmic surveillance, with banks being compelled to reveal folks’s delicate monetary info on the “speculative discretion” of ministers. They stated such checking account monitoring can occur no matter whether or not a person relies within the UK.
Nevertheless, the issues shared weren’t restricted to imminent legislative proposals, and embrace points round present knowledge safety practices. Concerning the independence of the Data Commissioner’s Workplace (ICO), for instance, the teams highlighted its reticence to take regulatory actions that carry the complete drive of legislation.
“In 2024, the ICO revealed statistics which revealed that they’d solely taken regulatory motion on one criticism out of the 25,582 which they’d acquired, favouring actions that lack the drive of legislation after they did reply,” they wrote.
“We’re involved that the ICO’s overreliance on [these] actions … is a symptom of the political stress the ICO is receiving to not impede innovation or development for UK companies on the expense of UK knowledge topics’ efficient proper of redress.”
Additionally they highlighted the info regulator’s choice to not formally examine clear knowledge safety issues round UK policing’s use of hyperscale public cloud infrastructure, after Pc Weekly revealed in June 2024 that Microsoft couldn’t assure the sovereignty of policing knowledge hosted on its Azure platform.
They famous that regardless of calls from the Scottish Biometrics Commissioner to analyze the issues recognized by Pc Weekly, “the ICO refused to intervene … citing issues that ruling on the legality of the police cloud infrastructure would frustrate the operation of the UK-US Cloud Act Settlement”.
Whereas Pc Weekly’s earlier reporting on police hyperscale cloud use has recognized main issues with the power of those providers to adjust to the UK’s legislation enforcement-specific knowledge guidelines, the federal government’s DUAB adjustments to police processing are in search of to resolve the problems recognized by merely eradicating the necessities which are already not being complied with.
Different critical issues raised by the civil society teams embrace the rising use of reside facial-recognition (LFR) expertise by police, which is progressing “with out efficient oversight, transparency or mechanism to evaluate necessity and proportionality”, and using secretive Technical Functionality Notices (TCNs) to compel service suppliers to take away encryption on the authorities’s behest, because the House Workplace just lately did with Apple.
“Adequacy isn’t a courtesy, it’s a authorized assure that individuals’s basic rights are protected when their knowledge is shipped overseas,” stated Itxaso Domínguez de Olazábal, a coverage adviser at EDRi.
“The UK is systematically rolling again these protections, and in doing so, it’s placing in danger not simply EU folks’s knowledge, however the precept of rights-based governance itself. If the Fee extends adequacy regardless of clear divergence, it sends a troubling sign: that knowledge safety is negotiable when commerce or geopolitics are at stake.”
Commenting on the letter, Mariano delli Santi, a coverage officer on the Open Rights Group, described the DUAB as “the most recent in a collection of assaults on knowledge safety and privateness within the UK”.
He added: “Successive governments aren’t solely harming the British public with these assaults, however are undermining our relationship with the EU. Shedding our adequacy standing at a time when the UK is making an attempt to enhance its financial outlook can be a expensive self-inflicted wound that have to be prevented in any respect prices.”
Pc Weekly contacted the Division for Science, Innovation and Know-how (DSIT) concerning the letter, however acquired no response by time of publication. Each the division and ministers have beforehand and repeatedly stated the DUAB has been crafted with knowledge adequacy in thoughts.
Pc Weekly additionally contacted the EC, however equally acquired no response by time of publication.
