The European Commission has renewed two key decisions that allow personal data to continue moving freely and securely between the European Economic Area (EEA) and the

United Kingdom.

The move confirms that the UK’s data protection standards remain “essentially equivalent” to those of the EU—meaning companies and public bodies on both sides can keep transferring personal information without additional legal hurdles.

The original adequacy decisions, adopted in 2021 under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive, were due to expire on 27 December. In June 2025, the Commission granted a six-month technical extension to allow time to assess changes in UK law, including reforms introduced through the Data (Use and Access) Act.

Following a positive opinion from the European Data Protection Board and approval from EU Member States, Brussels has now formally renewed the decisions.

Under the new terms, the adequacy arrangements will run until 27 December 2031 and may be renewed again. A joint review involving the Commission and the European Data Protection Board will take place after four years to ensure the framework remains robust.

Why it matters

Adequacy decisions are crucial legal instruments that permit the unrestricted transfer of personal data from the EU and EEA to third countries judged to provide strong privacy protections. Without them, organisations would face complex legal requirements to share data across borders.

With the UK among Europe’s most significant digital and economic partners, the renewal is expected to provide long-term stability for businesses, law enforcement bodies and public authorities reliant on cross-border data flows. Photo by Hogweard, Wikimedia comons.