The draft Adequacy Agreement (the “Agreement”) published by the European Commission last month contains seven basic errors of analysis which calls into question whether the Agreement accurately reflects the current state of UK data protection law. This is important because the European Parliament is likely to OK this Agreement on the back of a very deficient analysis.
This blog (and the next one) explores the main errors. In summary, these errors involve:
- Annex 1 – lawful basis
- Special category of personal data
- Annex 2 – incompatibility
- Purpose Limitation Principle
- Research – in Part 2 of the analysis
- International Transfers – in Part 2 of the analysis
- National Security- in Part 2 of the analysis
As can be seen, the errors cover most of the Agreement (a link to the Agreement is in the references). Despite this, the current position is as follows: the UK is likely to be granted a renewed Agreement which will expire on December 27, 2031.
If you cannot wait for Part 2 of the blog, or if it is easier, you can download the whole 4000 word analysis as one pdf (see references).
Sunset Clause
So why does the Agreement propose a sunset clause? Well I have two reasons for this:
- First, two opposition political parties in the UK could be in government after the next General Election; they are likely to commit to pulling the UK out of the European Convention on Human Rights (“ECHR”) and are also unlikely to follow the jurisprudence of the Court of Justice of the European Union. However, the Agreement says the current Government, so far, is committed to both (paragraphs 11, 12 and 68; the latter especially).
- Second, the Data Use and Access Act2025 (“DUAA”) contains so many broad powers, no-one can be certain as to how these powers will be exercised by future Ministers. I am still of the opinion that these powers create an infrastructure for a data protection regime that is lower than the standards established by the DPA1984. By contrast, the Agreement hedges its bets because these powers have yet to be exercised in a way that creates an Adequacy problem. Hence UK DP law is, so far as the Agreement is concerned, is OK for the moment.
In other words, the sunset clause exists because the European Commission does not want to be a hostage to fortune, especially if there were to be major political change in the UK after the next General Election (expected in 2029). At the same time, the Commission wants better economic and political relations with the UK; hence the Agreement is “GO” (for the moment).
What are the Commission’s concerns?
The European Commission is not really interested in how UK DP law works in practice. Rather it is concerned whether the provisions in the UK law are capable of adequately protecting the privacy interests of EU nationals resident in the UK, or EU nationals whose personal data is transferred from an EU Member State to the UK.
Note that the Commission is wholly disinterested in the protection afforded to UK data subjects resident in the UK. This, as Reform voters already know, is one of those “benefits of Brexit”; the UK is free to reduce the level of privacy protection afforded to its data subjects (which it has successfully done via DUAA).
What the UK Government can’t do is risk reducing the level of protection afforded to EU data subjects so far that it impacts on the UK-EU trading relationship; hence Adequacy cannot be jeopardised.
That is why, for example the Agreement sticks to academic questions like: “Has the UK Regulator got sufficient powers to enforce the DP regime?” (answer=yes); rather than nitty-gritty questions such as: “Does the UK Regulator actually use these powers to enforce the DP regime?” (answer=no).
Error 1: Annex 1 (data sharing)
The Agreement claims that there is a “public interest” or “clear public interest” for all the disclosures described in Annex 1. In other words, all the Recognised Legitimate Interest (RLI) disclosures of personal data, made lawful by these new Article 6 lawful basis, are in the “public interest” (paragraphs 21-23).
For example: these RLIs “only concern areas where there is a clear public interest in the processing activity (according to the conditions set out in Annex 1)” (paragraph 23)
This position is demonstrably incorrect; the Agreement has ignored the impact of Section 8 of the DPA2018 which includes the two letter word (“OR”). Section 8, thanks to DUAA changes, now reads:
“The processing of personal data that is necessary for the performance of a task carried out in the public interest OR in the exercise of official authority includes processing of personal data that is necessary for ….
(c) exercise of a function conferred on a person by enactment
The Agreement, as quoted above, assumes that RLI “only concerns areas where there is a clear public interest” (i.e. the text before the OR) when clearly the text after the OR concerns areas where there is no public interest, merely public bodies exercising their “official authority”.
To make this obvious, consider the ICO’s description of the impact of the first paragraph of Annex 1. His analysis says in relation to a disclosure of personal data to any public body….
“…This allows an organisation to respond to requests for information from public bodies (or bodies carrying out public tasks) without having to decide whether the requesting body needs the requested information to carry out its public task. Instead, the organisation just needs to make sure the requesting body has confirmed that it needs the information to carry out its public task". (my emphasis).
The quote does not have any public interest in sight; that is why the Agreement’s assumption that there is a public interest is in error.
Error 2: Special Category of Personal Data
The Agreement states (in paragraph 26) that new Article 11A “does not allow the Secretary of State to … amend existing categories of special category of data”. This is also incorrect as I explain below.
The actual provisions in A.11A provides a power to add to the existing types of special category of personal data and, importantly, to specify which condition in A.9 (or Schedule 1 of the DPA2018) overturns the prohibition in A.9(1) in relation to any addition.
There is no provision in A.11A that relates to amending or deleting the existing types of personal data in A.9(1). Instead, the new powers in A.11A, ostensibly included to expand the prohibition in processing special category of personal data, can be used to deliver the exact opposite.
Suppose the power is used to introduce a new class of special category of personal data described on the lines of “biometric data for the purposes of uniquely identifying an individual”: for example, “cancer records for the purpose of AI training”. Suppose the power is also used in a way that also identifies what A.9 condition that is to be used to overcome the prohibition.
In this way, the protection afforded for using health records in AI training can be undermined; because the addition creates a subset of health records, a purpose of the processing, and specifies which condition overcomes the prohibition. In this way, Government could achieve AI economic priorities by using its powers to diminish data protection concerns (e.g. allow private contractors to process NHS records for AI training).
Note that this not an amendment to existing categories of special category of personal data (e.g. health); the trick is to create a new subset of special category data associated with a specific policy objective.
The Agreement has totally missed this prospect.
Error 3: Annex 2 (Incompatibility)
The Agreement refers to Annex 2 (paragraphs 28-32) and explains that Annex 2 entries (like Annex 1) are justified as there has to be a “public interest” or a “clear public interest” in the further processing for that further processing to be deemed to be compatible.
The Agreement fails to understand what public interest means in the UK context, and the inter-connectivity between the powers of the Secretary of State to amend Annex 1, Annex 2 and to introduce exemptions via Article 23(1). As they are inter-connected , they should not be considered in isolation. This is what the Agreement erroneously does, and thereby it misses the big picture.
To illustrate these connections in a relatively non-nerdy way, I need to explore the immigration exemption which was introduced into UK law via A.23(1)(e) on the grounds of “public interest”.
This exemption also features in detail in the Agreement (paragraphs 37-39). This is because the immigration exemption was subject to judicial review in the UK, declared unlawful and the time taken to correct the exemption meant that processing for immigration purposes had to be excluded from the old Adequacy Agreement (which expires in December: grizzly detail in footnote 3 of the Agreement).
However, the history of the immigration exemption is revealing, especially since it did not exist in the DPA1984 nor in the DPA1998. Under these Acts, the immigration authorities processed personal data without relying on an immigration exemption (they relied on other exemptions).
Yet suddenly in 2018, an immigration exemption was desperately needed to be included in the DPA2018 in the “public interest”. Why was this?
From 2013 to 2019, Mrs May was either Prime Minister or Home Secretary. She had developed a “Hostile Environment Policy” saying that: "The aim is to create, here in Britain, a really hostile environment for illegal immigrants". Part of that Hostile Environment Policy was the addition of an immigration exemption to the DPA2018 which restricted, for example, subject access rights in order to make it more difficult for prospective immigrants to establish their right to remain in the UK.
Mrs May later regretted implementing this Policy mainly because it helped to give rise to the Windrush scandal. However, although the Hostile Environment Policy is in its coffin, the public interest immigration exemption that it sired, lives on.
Joined up dots
The immigration exemption’s history shows that the term “public interest” has been interpreted by Government to include the “policy interests of the Government of the day” (e.g. the Hostile Environment Policy). So whenever the Agreement refers to “public interest”, it has failed to understand (or does not want to understand) that this term can include processing for any future governmental policy agenda.
So suppose a future (populist) Government has a controversial policy objective called X that requires the processing of personal data. What Ministers do is fashion an exemption to protect X; this could be a small exemption from the right of access or from the right to be informed. This can be introduced into UK law by Ministers using the powers relating to A.23(1).
This new exemption is then the trigger that permits a new Recognised Legitimate Interest associated with purpose X to be added to Annex 1 (in the “public interest” of course) and, if required, a further addition to Annex 2 (also in the “public interest”).
The outcome is that the processing for X is lawful, not trapped by incompatibility concerns and protected by an exemption – all through the use of powers to create secondary legislation which is not subject to much in the way of Parliamentary scrutiny.
This rather alarming prospect explains why the House of Lords Committee concluded that the powers to add to Annex 1 and Annex 2 were excessive and should be removed (see references).
It also explains why the Agreement’s analysis is wholly deficient on this point.
Error 4: Purpose Limitation Principle
The Agreement states in paragraph 29 that the changes to the Purpose Limitation Principle “applies where [personal] data is collected from the data subject or otherwise, that it applies where personal data is further processed by or on behalf of the same controller”.
In my last blog (see references), I explained at length why I thought the changes introduced by the Government opened the door for an alternative interpretation. Namely the Purpose Limitation Principle is satisfied when a controller obtaining personal data, informs the controller that is disclosing the personal data, of its purpose that requires the obtaining of the data.
I also argued that this credible additional interpretation meant that the revised Purpose Limitation Principle in DUAA did not even meet the standard established by Council of Europe Convention No.108 as published in 1981.
Taken to the extreme, a Principle that originally protected the data subject from further incompatible processing has morphed, via DUAA, into a Principle that can make compatible, any data sharing between two controllers.
In other words, I think the Agreement is just plain wrong about this Principle. I am content for readers to make their own mind up by following my analysis in the blog (see references).
…..
To be continued but you can download the complete Part 1 and Part 2 analysis here Download Draft Adequacy Agreement comments
References
House of Lords Delegated Powers and Regulatory Reform Committee (9th Report of Session 2024–25, HL Paper 49: 28 November 2024).
Degrading the Purpose Limitation Principle; blog of May 2025, https://amberhawk.typepad.com/amberhawk/2025/05/duab-degrades-the-purpose-limitation-principle-below-the-dp-standards-set-45-years-ago.html
Are Adequacy Agreements valid? See “Shrouded In Secrecy – Does The Comitology Procedure For GDPR Adequacy Decisions Fit Its Purpose?”, Michal Czerniawski, Masaryk University Journal of Law and Technology, Volume. 18(2), 2024
The draft Adequacy Agreement : https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
CBPR transfer rules : https://www.commerce.gov/global-cross-border-privacy-rules-declaration/
Explanatory Notes to DUAA: https://www.legislation.gov.uk/ukpga/2025/18/pdfs/ukpgaen_20250018_en.pdf
Autumn Data Protection Courses
Amberhawk is holding a workshop on the changes to the UK’s data protection regime arising from the Data (Use and Access) Act 2025, by Zoom, on Wednesday, September 10: (10.00am-4.45pm; £275+VAT).
The following courses following BCS Practitioner or Foundation syllabi on the DPA2018/UK_GDPR can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- Data Protection PRACTITIONER Course: London on September 15-19 (Monday to Friday, 5 days, 30am to 5.30pm).
- Data Protection FOUNDATION Course: London on October 7-9 (Tuesday to Thursday, 3 days: 10.00am to 5.00pm).
More details on the Amberhawk website: www.amberhawk.com or email info@amberhawk.com.
