Monitor British data rules, commission urged
The Europea Data Protection Board (EDPB) has welcomed the “continuing alignment” between Britain's and Europe’s data-protection framework, despite the recent changes in Britain’s legal framework.
The data body was giving its views on the European Commission’s proposal to renew two decisions that provide organisations based in the EU with a legal basis for transferring personal data to Britain.
EU law allows the transfer of personal data outside the European Economic Area (EEA) only if such a third country is considered to have laws essentially equivalent to those that safeguard personal data inside the EEA.
The commission is proposing to extend the validity of Britain’s adequacy decisions under and the (LED) for six years when they expire at the end of this year.
Changes to 2023 act
The EDPB said that most of the changes introduced to Britain’s data-protection framework aimed to “clarify and facilitate” compliance with the law.
It added, however, that some aspects of the commission’s draft decision could be further clarified.
It called on the commission to “further analyse and monitor” changes to the Retained EU Law (Revocation and Reform) Act 2023, in particular the removal of the principle of primacy of EU law and the removal of the direct application of the principles of EU law.
New powers
The EDPB also noted that the relevant British minister had been granted new powers to introduce changes to the new data-protection framework through secondary regulations, which require less parliamentary scrutiny.
The EDPB also urged the commission to “further elaborate” its assessment and monitor the rules on transfers from Britain to third countries.
It said that a new British adequacy test, introduced by the Data (Use and Access) Act 2025, did not refer to the risk of government access, the existence of redress for individuals, and the need for an independent supervisory authority in third countries.