In my previous blogs (August 12 and 17), I showed that the Commission’s analysis of the Draft Adequacy Agreement/Decision covering the Data (Use and Access) Act (DUAA) was both deficient and superficial. Well the European Data Protection Board’s (EDPB) analysis of the Commission’s Draft Agreement has come to the same conclusion (see references).
Of course, the EDPB uses far more polite language than in my blog (i.e. it’s not as rude). It cushions its criticism in gentle words like: “inviting the Commission to monitor this” or asking the Commission to provide “clarifications on that” etc.
However, the outcome is the same. The Commission’s Draft Adequacy Agreement is not fit for purpose.
For example, on the first page of its analysis, the EDPB state that it requests “the Commission explicitly clarifies that all the elements listed in Article 45(2) GDPR were assessed in order to conclude that the UK’s overall legal framework continues to ensure an adequate level of protection for personal data transferred from the European Union to the UK” (my emphasis; para 5).
Well the EDPB would not be making this kind of “explicitly clarifies” observation, if it thought that “all the elements” in A.45(2) had been considered thoroughly by the Commission.
To save you looking it up, A.45(2) requires the Commission, when assessing adequacy (e.g. the UK), to consider a list of factors such as: adherence to international human rights standards (under threat in the UK); “effective” data subject rights (diminished by DUAA); “the access of public authorities to personal data” (made more expansive by DUAA),and “the implementation of such legislation” (e.g. via wide reaching Ministerial powers in the DUAA that face little or no Parliamentary scrutiny).
Why is this important?
Since the UK has left the EU, it seems to be extreme navel gazing to follow EDPB closely. This view is wrong for two main reasons:
- The EDPB are looking to protect the personal data concerning European Citizens processed in the UK. Any concern raised by the EDPB that the protection afforded to European data subjects is diminished, obviously applies to UK data subjects.
- In its analysis, the EDPB are raising concerns that still exist in the DUAA. This contrasts with the UK’s Information Commissioner (IC), whose silence on these concerns is deafening. Both positions cannot be right at the same time. There are concerns are there are not.
Ministerial powers
A major concern raised by the EDPB relates to the “implementation of such [data protection] legislation” via the exercise of Ministerial powers. The EDPB “notes that the Secretary of State has been granted new powers to introduce changes to the DUAA via secondary regulations, which require less Parliamentary scrutiny. … for instance, international transfers…, automated decision-making …, and the governance of the IC.” (para 19) [and in many other areas, I hasten to add].
It adds “these new powers are broad with no further information provided in the [European Commission’s] Draft Decision as to what safeguards will be put in place and how these powers are intended to be used in practice.”
Accordingly, the EDPB “invites the Commission to highlight in the final Adequacy Decision the areas which they intend to carefully monitor because there is a risk of further divergence with the EU data protection law via secondary UK legislation” (para 20).
Article 22D (on new automated decision taking rules) “gives the Secretary of State the power to specify through regulations whether there is or is not meaningful human involvement in the taking of the decision” or to describe whether an automated decision “is or is not considered to have a similarly significant effect on data subjects” (para 52).
The EDPB conclude “The scope and discretion of these powers are unclear. Therefore, the EDPB invites the Commission to analyse these newly conferred powers to the Secretary of State and monitor any developments in this respect” (para 53).
Of course, if the Commission had included any “Ministerial powers” analysis in its Draft Agreement, then these EDPB comments would have been redundant.
In general, the potential use of Ministerial powers vexes the EDPB. It additionally records that the Commission’s analysis missed out the expansive Brexit powers provided to Ministers by legislation enacted by the previous Conservative Government (i.e. remember the Government with an “oven-ready Brexit deal”?).
For instance, the EDBP reports that “although [these provisions are] currently on hold, a new more relaxed legal test for judges of the Court of Appeal and Supreme Court to depart from retained EU case-law could be introduced by virtue of [powers in] the REUL Act. This change, if enacted, has the potential to be a significant change” [to the UK’s stated commitment to abide with CJEU decisions concerning data protection] (para 11).
It is the range of Ministerial powers, whether they are exercised or not and, if exercised, to what extent they are exercised which has caused the EDPB to recommend a review of the UK’s data protection regime to “takes place in four years” (para 116). The EDPB consequently “encourages the Commission to proceed with it in due course” (on that 4 year timescale) rather than rely on a review of UK’s data protection regime, six months prior to renewal of any Final Adequacy Agreement in 2030.
Data sharing
With respect to voluntary data sharing with public bodies, the EDPB state “the question arises as to which criteria the controller has to assess in order to decide whether to voluntarily provide data in response to a request for information” (para 28).
To clarify this issue, under DUAA, a controller could volunteer to disclose personal data, to say, HMRC in three ways. The disclosing controller could use the following A.6 lawful bases: (a) in the legitimate interests of a Third Party (A.6(1)(f)); (b) because disclosure is in the public interest of the requesting controller (A.6(1)(e)), or (c) disclosure falls within the first Recognised Legitimate Interest (new Annex 1 to the GDPR) following a request from a public body (e.g. from HMRC).
All the EDPB is doing is asking the Commission’s analysis to include the answer to a simple question: as personal data of EU citizens are processed in the UK, what is the impact of the use of one lawful basis over the other?
Many data protection specialists in the UK would also like to know the answer to this question, especially when many disclosures of personal data to public bodies can additionally be subject to a statutory demand for such data.
For instance, many public bodies like HMRC or DWP are not short of powers to demand personal data. If these bodies can exercise powers, why are there three additional voluntary avenues to legitimise disclosure?
The issues raised above concerning the wide use of powers or data sharing as expressed above shows no sign of troubling the ICO.
PECR and removal of consent
As regards PECR, the EDPB notes that “several changes under the DUAA on the legal framework applicable to electronic communications, including cookies, and recalls that the processing of personal data might trigger the material scope of the UK GDPR. Therefore, it invites the Commission to include them in its assessment for the final decision insofar as they could have an impact on data protection” (i.e. PECR was missed out completely; para 15).
Roughly translating the last polite paragraph into the vernacular, the EDPB is asking the Commission: “how the f*** did you miss this in your analysis!”. That is why the EDPB “further calls on the Commission to closely monitor the practical effect of the changes related to cookies exempt from consent”.
Data Subject rights
The EDPB is concerned about the potential for reducing the right of access to personal data. Therefore, “in the EDPB’s view, it is important to define adequately the notion of “reasonable and proportionate searches”, which should be interpreted narrowly and in a sufficiently uniform manner” (para 34).
For instance “Controllers should have a consistent understanding of what is ‘reasonable and proportionate’, whether informed by case-law or by guidance from a supervisory authority, as the application of this notion could potentially lead to different standards in complying with the right of access, in particular depending on the level of technical and organisational measures the controller put in place to handle access requests” (para 34).
Consequently “the EDPB would welcome if the Commission could provide more detailed information on the interpretation of “reasonable and proportionate searches” based on the domestic guidance and case law available. Against this background, the EDPB invites the Commission to monitor that the right of access is not unduly limited” (para 34).
Onward transfers outside the UK
As stated in previous blogs, the transfer arrangements in the DUAA were the only area of real concern expressed in the Commission’s Draft Agreement, but only in the context of full UK membership of the Global Cross Border Privacy Rules (CBPR) Forum.
The EDPB also do not like these CBPR Rules. It “welcomes the position taken by the Commission … including the commitment to continue to closely monitor further developments in this regard, especially if the UK intends to progress to a full member.” This is because “CBPRs are not recognised as ensuring a sufficient level of protection for personal data originating from the EU”.
By contrast to the Commission, the EDPB is concerned at the flexibility in Article 45A(4) of the revised UK GDPR to deem certain transfers of personal data as “adequate”. This, the EDPB report, “could cover transfers to private entities [i.e.. controllers or processors] in a third country”.
Then comes the killer comment: “It remains unclear how the Secretary of State would assess in practice that specific controllers based in a third country – not considered as adequate – can conform to the data protection test, for instance, with regard to redress” (para 39).
The above translates into two simple questions: how can a specific controller in a Third Country be deemed to be adequate as far as data protection is concerned, if the Country itself is not deemed to be adequate? and What legal processes protect the data subject ’s interests?
The EDPB continue “Likewise, it remains unclear how the data protection test would be carried out for point (iv) and (v) of Article 45A(4)” (para 39). I must agree with that assessment: point (iv) of A.45A(4) implies that a transfer might be deemed adequate, via Ministerial powers, for some designated types of personal data, but not for other types of personal data; point(v) implies that some methods of transfer make the transfer adequate and not others.
Remember, adequacy is supposed to be an assessment of the location to where the personal data are being transferred. Unlike the DUAA changes specified above, it is not a function of what is being transferred to that location or how the data are being transferred to that location.
Consequently the EDPB “would appreciate if the Commission could provide further details on the additional information and guarantees received on the practical application of the data protection test and explain its assessment as to how the level of protection is upheld in such situations” (para 40).
The EDPB additionally “invites the Commission to clarify this in its final Adequacy Decision as it is not entirely clear from the text of the law as well as to monitor its practical implication and implementation of such criterion” (para 41).
This is because “such clarification would provide great legal certainty and contribute to reinforce trust in the adequacy instrument” (para 44).
There again, by contrast, the UK’s IC has remained stoically silent on the subject of transfers.
The Information Commission
In my analysis, I stated that the Secretary of State had too much control over who is a Non-Executive Member of the new Information Commission.
The EDPB has the same concerns as it writes: “The EDPB invites the Commission to make a more detailed assessment of the restructuring of the Information Commissioner’s Office (“ICO”) as a board and the rules for appointment and dismissal of executive and non-executive board members. (Top of page 3).
Concluding comment
The above is only a snapshot of the problems raised by the EDPB. There is a lot more to its analysis, especially in relation to the potential for diminished protection arising from the law enforcement parts of the modified DPA2018 (Part 3), the revised provisions relating to national security (Part 4), and the relationship between these two Parts.
However, the overriding impression I get from reading the EDPB’s commentary on the UK’s DUAA, is that the EDPB remains troubled over several issues, concerns which, it appears, do not appear on the ICO’s radar.
If the EDPB’s view is correct, this in turn raises the question of whether the current Information Commissioner has failed to lead public debate on important issues surrounding the DUAA, and whether his silence (perhaps acquiescence) has failed to protect the interests of UK data subjects.
Winter Data Protection Courses
In summary, the upcoming courses are:
- Data Protection Practitioner (5 days: Zoom and onsite): 24–28 November 2025; 2–6 February 2026
- Data Protection Foundation (3 days: Zoom and onsite): 13–15 January 2026 and March 24-26 2026
- Data (Use and Access) Act Workshop (1 day: Zoom only): Thursday, 20 November and Thursday, January 22 2026
References
Opinion 26/2025 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data by the United Kingdom Adopted 16 October 2025. https://www.edpb.europa.eu/system/files/2025-10/edpb_opinion_202526_united_kingdom_adequacy_gdpr_en.pdf
