Seven Civil Society Organizations Are Calling on European Commissioner Michael Micgrath to Rescind the UK's Data's Data Adequacy Status, Citing Major Concerns ARONS ARONS ARONTRY ' Data rights.
Writing to mcgrath in an Open Letter Dated 3 June 2025, The Organizations Argue That Current Data Handling Practices in the Uk – In Combination With the Government's Forthcoming Data Reforms – Represtant a Significant Divergence Protection Standards.
Expressing their “Deep Concerns,” The Civil Society Groups – Including European Data Rights (Edri), Access now, Statewatchand Privacy International – Said that since the uk was granted adequaacy by the European Commission (EC) in June 2021, “The UK has Seen a Sustained and Systemic Erosion of Privacy and Data Protection”.
Noting that straying from the standards set out in the European Union's (EU) General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED) Has alredy undermined the fundamental rights of european citizens, the groups said “this degradation would be furthered” Data use and access bill (Duab).
“Allowing Third Countries Such as the UK to Benefit from Unrestricted Personal Data Flows with the Eu While Simultaneously Weeking Legal Safeguards at Home Does not on the rightge The eu, it also undermines the creedibility of the eu's data protection framework, exposes eu businesses to unfair competition, and develop the union's Regulatory Leadership on the Global Station.
“The UK Government's Proposed Reforms and Recent Actions Threten to Imperil The UK's Data and Privacy Protects.
They added that without decisive action from the ec, there is “a substantive risk” that Fresh Uk Adequaacy Decisions BE Struck down by the court of Justice of Justice of the coup
In exiting the eu, the uk became a “third country” under the bloc's rules, which means the ec will have to periodically assess whose assess is the Country's Data Protection Framework Framework and Provide Essentially Equivalent Level of Protection for Eu Citizens' Data.
After it initially granted the uk separete adequaacy status Warning that the decision may yet be revoke If Future Data Protection Laws Diverge Significantly from that in Europe.
Problematic data protection practices
Commenting on the duab proposals – which “would report a systematic weaver and data protection safeguards” – The Civil Society Groups Noted The Bill will Diminish the right not to be subject to automated decision-MakingDelegate “Extensive” Legislative Power to Uk Ministers that would allow them to circumvent parliamentary scrutiny when Making decisions Around the legality of data processing or transfersAnd otherwise Grant Government and Law Enforcement Agencies “Expanysive access” to personal data.
They added that the duab would also allow allow Organizations to Transfer Data to Jurisdictions with Clear Lower Data Protection Standards, Potentially Turning the UK INTO A “Data Laundering Hubb”.
The groups also highlighted further legislative initiatives with negative data protection implications of the duab. This includes the forthcoming border security, asylum and immigration bill, which they argue is “incompatible with the fundamental principles” of the GDPR and LED BECAUSE it WOLD Subject the data of european citizens to uk intelligence services and counter-terrorism Legislation,
They also noted how the upcoming fraud bill would Place Millions of Benefit Claimant's Bank Accounts Under Constant Algorithmic SurvelanceWith banks being compelled to disclose people's sensitive financial information at the “Speculative Discretion” of Ministers. They said such bank account monitoring can happy Regardless of Whether an individual is based in the uk.
However, the concerns shared was not limited to upcoming Legislative Proposals, and Include issues Around Current Data PROTECTION PROCTICES. Regarding the independence of the information commissioner's office (ICO), for example, the groups highlighted its Reticence to take regulatory actions that carry the full force of law,
“In 2024, The ICO Published Statistics which Reveled That They Had Only taken regulatory action on one complant out of the 25,582 Which they had received, favorite actions that lacked the force of law when they did respond, “they write.
“We are concerned that the ico's overreliace on [these] Actions… is a symptom of the political pressure the ICO is receiving to not obstruct innovation or growth for uk businesses at the expenses of uk data subjects' Effective Right of Redress. “
They also highlighted the data regulator's decision not to formally Investigate Clear Data Protection Concerns Around Uk Uk Policing's Use of Hyperscale Public Cloud Infrastructure, After Computer Weekly Reveled in June 2024 That Microsoft Cold Not Guarantee The Sovereignty of Policing Data Hosted on Its Azure Platform.
They noted that despite Calls from the scottish biometrics commissioner to investment the problems identified By Computer Weekly, “The ICO refused to intervenne… Citing Concerns That ruling on the legality of the police cloud infrastructure would frustrate the operation of the uk-as cloud act agrement ”.
While Computer Weekly's Previous Reporting on Police Hyperscale Cloud Use Has Identified Major problems with the ability of these services to comply with the uk's law enforcement-specific data rulesThe Government's Duab Changes to Police Processing Are Seeking to solve the issues identified by simply removing the requirements That area alredy not being compiled with.
Other Serious Concerns Raised by the Civil Society Groups Include The Growing Use of Live Facial-Recognition (LFR) Technology By Police, which is progressing ”Without effective oversightTransparency or Mechanism to Assess Necessity and Proportionality ”, and the use of secondary technical capability notices (tcns) to compel service providers to remove encryption Behest, as the Home Office recently did with apple,
“Adequacy isn’t a courtesy, it's a legal guarantee that People's fundamental rights are protected when their data is synt abroad,” Said itxo domínguez dee olaze dee olaze Edri.
“The UK is Systematically Rolling Backs Protections, and in Doing So, It is Putting at Risk not just just eu people's data, but the prints-based governance itends Adequacy despite clear divergence, it sends a Troubling Signal: That data protection is negotiable when train or geopolitics are at stake. “
Commenting on the Letter, Mariano Delli Santi, A Policy Officer at the Open Rights Group, described the duab as “the latest in a series of attacks on data protection and privacy in the uk”.
He added: “Successive governments are not only harming the British public with these attacks, but are undermining our relationship with the eu. Improve its economic outlook would be a costly self-inflicted wound that must be avoided at all costs. “
Computer weekly contacted the department for science, innovation and technology (dsit) about the letter, but received no response by time of publication. Both the department and ministers have previously and reepeatedly said the duab has been crafted with data adequaacy in mind.
Computer weekly also contacted the ec, but similar received no response by time of publication.