Commission’s Draft Adequacy Agreement contains erroneous analysis of UK’s Data (Use and Access) Act 2025 – Part 2

This blog is the continuation from Part 1 published last Tuesday.  In summary, the draft Adequacy Agreement (“the Agreement”) published by the Commission does not accurately describe the UK’s Data Protection regime and the impact of the Data (Use and Access) Act 2025 (“DUAA”).

This blog explores the error surrounding:

• Research
• International Transfers
• National Security-

In Part 1 of the analysis, the blog considered errors relating to:

• Annex 1 – lawful basis
• Special category of personal data
• Annex 2 – incompatibility
• Purpose Limitation Principle.

If you want to download the whole 4000 word analysis as one pdf (see references).

The problem is that the European Parliament is likely to agree adequacy on the Commission's erroneous analysis.

Error 5: Research

The Agreement goes into the definitional aspects of the Research purpose (paragraphs 17-20) and concludes that the “safeguards are similar to those required by Article 89”.  I am afraid to say that this assertion is for the birds.

I ask the reader whether the following comprise the characteristics of “similarity”:

• An “appropriate safeguard” in the DUAA states that the processing for research purposes should not cause “substantial damage or substantial distress” to the data subject (i.e. this means moderate damage or moderate distress to data subjects is acceptable in the UK).  There is no equivalent provision in the GDPR (and related Recitals) that equates to this new UK “safeguard” in Article 84C(2).
• Article 89 of the GDPR (and related Recitals) do not include in its list of exemptions that can apply to the research purpose, an exemption from Article 13 (right to be informed). This has been introduced in the DUAA so that if a controller has already obtained a personal dataset and wants to further use/disclose that personal dataset for a research purpose, then there is no need to inform the data subject of that further use/disclosure for research purposes if certain appropriate safeguards apply (see above).
• Article 89 of the GDPR (and related Recitals) do not include an exemption from Article 14. This similarly protects the UK controller who obtains personal data from another source (e.g. another controller) from informing data subjects about the research purpose if certain appropriate safeguards  It can be seen that, in combination with the new A.13 exemption, data sharing of ordinary personal data for any research purposes can occur without the knowledge of the data subject.
• Exemptions to the GDPR and UK_GDPR should be introduced by a procedure similar to that set out on A.23(2); the UK exemptions from the right to be informed mentioned above do not follow this prescription. By contrast the Agreement has omitted consideration of both “right to be informed” exemptions.

Overall, the Agreement is fixated on consent as the main lawful basis for the research purposes (paragraph 19).  It has not considered that the exemption in Articles 13 and 14 only make sense if another A.6 lawful basis is used for the research purpose (e.g. legitimate interest).

The fact that these new exemptions anticipate a non-consent lawful basis for the research purpose is easily shown.

If data subject consent is the lawful basis for the processing of personal data for research purposes, then there is no need for an exemption from informing data subjects about the further research purpose because data subjects should have already been informed of that research purpose via the original consent procedures. Afterall this is what “data subject consent” means.

In other words,  if the data subject is consenting, they already know about the further research purpose. It is only when consent is NOT the lawful basis for the further research purpose is an exemption needed.

Put simply, the Agreement does not consider that the new research provisions in DUAA allows, in certain circumstances,  existing personal datasets to be exchanged (i.e. further processed) between controllers for research purposes without informing data subjects, irrespective of the nature of the research and in the absence of data subject consent.

That is why the Agreement is deficient on research.

Error 6: International Transfers

To be fair to the Agreement, this is the only place where a warning shot is fired across the UK government’s bows.  It states that “even if the UK is an associate member to the Global Cross-Border Privacy (CBPR) Forum….CBPR cannot constitute a valid transfer mechanism under UK law”. Hence, “If that were to change …the Commission will… closely monitor further developments in this regard” (paragraph 50).

The previous Conservative Government were very keen on these CBPR transfer rules (see references), as they were, “very relaxed”  (to use polite language and not to upset the reader).  The Commission’s worry is that the powers placed into the UK_GDPR by DUAA allows for the adoption these transfer rules. Hence its warning above.

Other than that, the Agreement states that  “the UK remains very close” to the GDPR rules in relation to its transfer provisions in the DUAA.

“Very close?” Oh really?

The system of Adequacy Assessment by the Commission commenced with Directive 95/46/EC  (i.e. it’s been active for two decades or so).  So can anyone in Europe, nay on the Planet, answer the following question with a “yes”:

“Has the Commission done any of the following…”:

• Specify part of a Third Country as being adequate when the rest of that Country is not adequate?
• Specify a specific recipient, controller or processor located in a Third Country as being adequate, when the that Third Country is not adequate?
• Specify a group of Third Countries as being adequate in one go (e.g. all countries that have implemented data protection legislation based on OECD Guidelines)?
• “Confer a discretion on a person” This is unexplained (even in the so-called “Explanatory Notes”). One presumes this permits another “person” (i.e. anybody) identified in future secondary legislation to make a decision about the transfer of personal data or the adequacy of protection in a Third Country?

Clearly the Commission has done none of the above,  but DUAA clearly grants powers for the Minister to do all of the above in Articles 45A(4)(c) and (d).

Yes, I know that the Commission has granted adequacy decision to national legislation that covers all of the private sector in Canada (PIPEDA) or Japan (APPI) but the above bulleted possibilities ae different.  They give Ministers the power to define any specification of adequacy in any Third Country.

For example, consider the second bullet above.  If a normal controller were transferring personal data to another controller located in a Third Country that was not adequate, it could, for example, rely and implement Standard Contract Clauses (SCCs) and then transfer. Job done.

So why does the UK Government want powers to enable transfers to a specific controller in a Third Country? The answer, I fear, is that the SCCs are too restrictive for the transfer to the Third Country to occur.

Instead, the UK Government has reserved powers to develop a policy objective and employ a specific controller in a Third Country to perform a particular processing task (e.g. a transfer to allow an “adequate” USA conglomerate to process a comprehensive set of NHS health records so that it can train AI programs).

Somehow the Agreement makes no comment on the above prospects. That is why it is deficient on this topic.

Error 7: National Security

Whenever the relationship between data protection and national security is discussed, it’s often a question of the blind leading the blind.  Very few outside those closely associated with these organisations know the complete picture of how these national security agencies process personal data or even what personal data they collect.

If someone does spill the beans (e.g. Edward Snowden), it’s a choice between exile or extraordinary rendition to Chateau d’If.

However, what I can show is that the Agreement makes an unreliable analysis of national security issues when discussing these agencies.

For example, paragraphs 74 and 75 reassure the reader about Part 4 of the DPA2018 (national security), and is impressed by the fact that the familiar Data Protection Principles, rights of data subjects, restrictions on the processing of special category of data etc all apply to the processing by these agencies.

What is missing from this text, is that the Information Commissioner cannot use his powers in relation to enforcing these data protection obligations, thanks to a broad exemption in S.110 of the DPA2018 (e.g. when the agencies claim that the exemption applies, that’s more or less conclusive).

Overall, however, the Agreement is very selective when it comes to analysing disclosure to, or from, these national security agencies.  For instance, the Agreement contains many references to the powers these agencies have to demand personal data, and the safeguards such as judicial oversight and the procedural cross checking that goes on to assess whether the warrants are really  necessary (paragraphs 77-80).

That’s fine enough until one realises that what is missing from the Agreement’s analysis, is any concept of voluntary disclosures to, and from, these agencies.  One gets the impression by reading the text, that the use of statutory powers is the only way these agencies collect or disclose its personal data (paragraphs 77-85).  This is not the case.

For instance, one of the new Recognised Legitimate Interest (see Error 1 above), relates to disclosures of personal data to these agencies for national security purposes.  If this new RLI lawful basis is used by a disclosing controller, it means that the lawful basis for a disclosure of personal data to a national security agency is not pursuant to the exercise of a legal obligation.  However, only the “legal obligation” option is the subject of the Agreement’s detailed analysis.

To illustrate this point, suppose a national security agency asked your organisation, to disclose its complete HR database to them for some national security issue. Would your organisations say “NO”, use your powers?  I doubt that very much.

The voluntary disclosure would be lawful (Annex 1) and compatible (Annex 2) and subject to the national security exemption (Principles and rights all exempt) and not subject to the ICO’s powers.

So when a national security agency asks for a disclosure of personal data, it is not using its powers.  The safeguards that the Agreement analysis assumes are applying to mandatory disclosures by law,  therefore, do not apply.

Additionally, the DUAA contains a mechanism to transfer personal data from the jurisdiction of Part 3 (law enforcement) to the jurisdiction of Part 4 (national security).  This takes a collection of personal data from a regime that is subject to the enforcement powers of the ICO, to a regime where those enforcement powers are exempt.

Here again, the safeguards that the Agreement analysis relies on for mandatory disclosure, do not apply.

Hence, it is reasonable to conclude that the Agreement’s analysis of national security issues is incomplete that it cannot contribute to any reliable assessment of whether or not the UK’s data protection regime is adequate.

Conclusion

It is clear from the above, that the errors and omissions made across the whole Agreement makes it an unreliable basis for an accurate assessment of data protection standards in the UK.

However, I suspect that is not the intent of the Commission with this Agreement. The world economy is in Trumpian turmoil, and the European Commission is keen not to harm the warming EU-UK economic relationship over some trifling, tittle-tattle, transfer detail.  Hence its hurried and botched analysis approving the DUAA changes as adequate.

In addition, since Directive 95/45/EC, these Adequacy Agreements have morphed into a tool in which politics, economic relations and commercial interests, seem to play a greater role than data protection. Agreements with Argentina and Uruguay are early examples of this approach (see references).

So despite the significant errors and omissions identified above, I am expecting the Agreement to be approved. If so, it is clear that these Adequacy Agreements are not being promoted for reasons based on any coherent data protection analysis.

One suspects also,  when the UK specifies “adequate” countries, specifications generated by a Secretary of State using powers that exclude Parliamentary scrutiny,  the Government will have its eyes on the economic or political benefits.

At best, such a declaration of adequacy will play lip-service to data protection and the privacy of UK data subjects.

References

Download the complete analysis here  Download Draft Adequacy Agreement comments

House of Lords Delegated Powers and Regulatory Reform Committee (9th Report of Session 2024–25, HL Paper 49: 28 November 2024).

Degrading the Purpose Limitation Principle; blog of May 2025, https://amberhawk.typepad.com/amberhawk/2025/05/duab-degrades-the-purpose-limitation-principle-below-the-dp-standards-set-45-years-ago.html

Are Adequacy Agreements valid?  See “Shrouded In Secrecy – Does The Comitology Procedure For GDPR Adequacy Decisions Fit Its Purpose?”, Michal Czerniawski, Masaryk University Journal of Law and Technology, Volume. 18(2), 2024

The draft Adequacy Agreement :  https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

CBPR transfer rules : https://www.commerce.gov/global-cross-border-privacy-rules-declaration/

Explanatory Notes to DUAA: https://www.legislation.gov.uk/ukpga/2025/18/pdfs/ukpgaen_20250018_en.pdf

Autumn Data Protection Courses

Amberhawk is holding a workshop on the changes to the UK’s data protection regime arising from the Data (Use and Access) Act 2025, by Zoom, on Wednesday, September 24: (10.00am-4.45pm;  £275+VAT).

The following courses following BCS Practitioner or Foundation syllabi on the DPA2018/UK_GDPR can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).

• Data Protection PRACTITIONER Course: London on September 15-19 (Monday to Friday, 5 days, 30am to 5.30pm).
• Data Protection FOUNDATION Course: London on October 7-9 (Tuesday to Thursday, 3 days: 10.00am to 5.00pm).

More details on the Amberhawk website: www.amberhawk.com  or email info@amberhawk.com.