Europe urged to revoke UK's data adequacy status
Government's practices are increasingly diverging from the EU's data protection framework, argue civil society groups
A coalition of seven leading civil society organisations has called on the European Commission to revoke the United Kingdom's data adequacy status, citing what they describe as a sustained and systemic erosion of privacy and data protection standards in the UK.
In an open letter addressed to European Commissioner for Financial Services, Michael McGrath, and dated 3rd June 2025, the groups, including European Digital Rights (EDRi), Access Now, Privacy International and Statewatch, expressed deep concerns over the UK government's data handling practices and legislative reforms.
The groups stated that the government's practices are increasingly diverging from the EU's data protection framework.
The adequacy status, granted in June 2021 under both the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), allows the free flow of personal data between the EU and UK.
However, the organisations argue that the UK has not maintained "essential equivalence" with EU privacy laws, and that ongoing legal changes, particularly the proposed Data Use and Access Bill (DUAB), threaten to undermine the very principles on which the adequacy decision was based.
"The UK has seen a sustained and systemic erosion of privacy and data protection," the letter reads.
The DUAB, currently under parliamentary consideration, is at the heart of the groups' complaint.
The letter argues that the bill would significantly weaken privacy safeguards by:
- Undermining the right not to be subject to automated decision-making;
- Granting UK ministers wide-ranging powers to modify data rules without full parliamentary scrutiny;
- Enabling data transfers to countries with inadequate protections, effectively turning the UK into a "data laundering hub";
- And expanding government and law enforcement access to personal data with minimal oversight.
The groups also warned that the changes could destabilise future legal certainty, posing risks to individuals and businesses alike, while exposing EU firms to unfair competition.
Beyond DUAB, the letter highlights other pending legislation with major privacy implications, such as the Border Security, Asylum and Immigration Bill, which the signatories claim would place European citizens' data under the jurisdiction of UK intelligence agencies, contrary to GDPR and LED principles.
Criticism was also levelled at the UK's current data protection enforcement.
The groups cited 2024 data from the Information Commissioner's Office (ICO), showing that just one out of over 25,000 complaints led to regulatory action with legal force. They argue this reflects political pressure to avoid hindering UK innovation or business growth, at the expense of individual rights.
The letter also condemned the ICO's decision not to investigate UK police use of Microsoft's Azure cloud platform, despite known sovereignty concerns and warnings from the Scottish Biometrics Commissioner.
The groups noted that the regulator declined to act, citing potential conflicts with the UK-US Cloud Act Agreement.
The UK government's apparent solution, they warned, is not to correct compliance issues, but to remove the legal safeguards being violated. This was reflected in DUAB provisions that seek to eliminate requirements around police data processing, effectively legalising current non-compliant practices.
The groups concluded their letter by warning that unless the Commission takes decisive action, there is a substantive risk that the UK's adequacy could be struck down by the Court of Justice of the European Union (CJEU) in the future.
Under EU rules, adequacy status is not permanent.
As a "third country," the UK's data protection laws are subject to periodic reassessment by the European Commission, which explicitly reserved the right in 2021 to revoke adequacy if the UK's regulatory trajectory diverged from EU standards.