The EDPB adopts two opinions on the Commission’s draft decisions extending the UK’s adequacy decisions under the GDPR and LED

The GDPR opinion

Under Opinion 26/2025, the EDPB notes that the REUL Act removes the general principles of the primacy of EU law and the direct applicability of the principles of EU law in the UK. The EDPB therefore invites the European Commission to explain the impact on the UK’s data protection framework and to monitor any future effects. The EDPB also calls for the European Commission to monitor the impact of changes introduced by the DUAA, including in relation to onward transfers and automated decision-making.

Onward transfers

In relation to onward transfers, the EDPB notes that the DUAA replaces the prior “adequacy” standard with a new “data protection test”, which requires that the third country’s protection is “not materially lower” than the UK standard. The EDPB states that indicative elements previously assessed (as part of the previous UK adequacy test) are no longer expressly listed. For example, rules on public authority access and public security, defence, national security and criminal law, case law, effective and enforceable data subject rights and remedies, and the existence of one or more independent supervisory authorities. The EDPB recommends that the European Commission clarifies certain aspects of its assessment of the data protection test and its practical implementation. It also invites the European Commission to clarify that the “desirability of facilitating transfers” is not part of the test and to monitor the Secretary of State’s new powers to approve transfers to a specific recipient, in a specific sector, by a specific data type or by a specific means.

Recognised legitimate interests 

The DUAA introduces a new statutory list of “recognised legitimate interests”, which may be relied on as a lawful basis for the processing of data where the processing is necessary and proportionate for the specified purpose, subject to certain conditions. The EDPB highlights certain recognised legitimate interests conditions for attention, for example, processing for national or public security and crime prevention, investigation or detection and the voluntary disclosure to a public authority for the performance of a “public task”.

The EDPB invites the European Commission to: 

1. provide further details on the information and guarantees received by the European Commission on the practical application of the recognised legitimate interest for national or public security purposes or the crime condition; and 
2. monitor the practical use of the voluntary disclosure to a public authority for the performance of a public task, especially where new requests relate to law enforcement or national security. 

Rights of access (proportionality assessment)

The EDPB notes that – whereas the proportionality assessment introduced by DUAA, in relation to responding to Article 15 UK GDPR requests, reflects developments under UK domestic case law – no such proportionality assessment exists in the EU data protection framework. The EDPB notes that it believes the notion of “reasonable and proportionate searches” should be interpreted narrowly and also expresses the same view on data access in its Opinion 27/2025 regarding the review of the LED adequacy decision.

Automated decision-making 

On automated decision-making (ADM), the EDPB notes a move from the GDPR’s restrictive approach to a safeguards‑based approach. The EDPB recommends that the European Commission develops its assessment of this new approach. The UK GDPR clarifies that a decision based solely on ADM means that there is no meaningful human involvement in the decision making. The UK GDPR, as updated by the DUAA, empowers the Secretary of State to specify whether there is such meaningful human involvement and to determine whether a decision has a similarly significant effect on data subjects. As a result, the EDPB encourages the European Commission to analyse the impacts and the breadth of the Secretary of State’s powers to define “meaningful human involvement” and “similarly significant effect” and expresses the same view on those powers of the Secretary of State in its Opinion 27/2025 on the review of the LED adequacy decision.

Technical Capability Notice

The EDPB also notes that the UK Government is alleged to have issued a Technical Capability Notice (TCN) against a technology company under the Investigatory Powers Act 2016, which would require the company to provide access to user data in a decrypted format. Notwithstanding that this power existed pre-Brexit (and the legal basis for TCNs existed at the time of the previous UK adequacy decision), the EDPB notes that this appears to be the first known application of this kind and could raise systemic risks to confidentiality of users’ data. The EDPB encourages the Commission to amend the adequacy decision to reflect the use of TCNs.

The press release is available here, the EDPB’s opinion under the GDPR is available here and the EDPB’s opinion under the LED is available here.