Seven civil society organisations are calling on European Commissioner Michael McGrath to rescind the UK’s data adequacy status, citing major concerns around the country’s ongoing erosion of privacy and data rights.
Writing to McGrath in an open letter dated 3 June 2025, the organisations argue that current data handling practices in the UK – in combination with the government’s forthcoming data reforms – represent a significant divergence from European data protection standards.
Expressing their “deep concerns,” the civil society groups – including European Data Rights (EDRi), Access Now, Statewatch, and Privacy International – said that since the UK was granted adequacy by the European Commission (EC) in June 2021, “the UK has seen a sustained and systemic erosion of privacy and data protection”.
Noting that straying from the standards set out in the European Union’s (EU) General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED) has already undermined the fundamental rights of European citizens, the groups said “this degradation would be furthered” by the UK government’s proposed Data Use and Access Bill (DUAB).
“Allowing third countries such as the UK to benefit from unrestricted personal data flows with the EU while simultaneously weakening legal safeguards at home does not only endanger the rights of people in the EU, it also undermines the credibility of the EU’s data protection framework, exposes EU businesses to unfair competition, and devalues the Union’s regulatory leadership on the global stage,” they wrote.
“The UK government’s proposed reforms and recent actions threaten to imperil the UK’s data and privacy protections. This status of affairs will fuel uncertainty and threaten individuals and businesses alike.”
They added that without decisive action from the EC, there is “a substantive risk” that fresh UK adequacy decisions could be struck down by the Court of Justice of the European Union (CJEU).
In exiting the EU, the UK became a “third country” under the bloc’s rules, which means the EC will have to periodically assess whether the country’s data protection framework and practices provide an essentially equivalent level of protection for EU citizens’ data.
After it initially granted the UK separate adequacy status’ under both the GDPR and LED, the EC was clear in warning that the decision may yet be revoked if future data protection laws diverge significantly from those in Europe.
Problematic data protection practices
Commenting on the DUAB proposals – which “would represent a systematic weakening of privacy and data protection safeguards” – the civil society groups noted the bill will diminish the right not to be subject to automated decision-making; delegate “extensive” legislative power to UK ministers that would allow them to circumvent Parliamentary scrutiny when making decisions around the legality of data processing or transfers; and otherwise grant government and law enforcement agencies “expansive access” to personal data.
They added that the DUAB would also allow organisations to transfer data to jurisdictions with clearly lower data protection standards, potentially turning the UK into a “data laundering hub”.
The groups also highlighted further legislative initiatives with negative data protection implications outside of the DUAB. This includes the forthcoming Border Security, Asylum and Immigration Bill, which they argue is “incompatible with the fundamental principles” of the GDPR and LED because it would subject the data of European citizens to UK intelligence services and counter-terrorism legislation.
They also noted how the upcoming Fraud Bill would place millions of benefit claimant’s bank accounts under constant algorithmic surveillance, with banks being compelled to disclose people’s sensitive financial information at the “speculative discretion” of ministers. They said such bank account monitoring can happen regardless of whether an individual is based in the UK.
However, the concerns shared were not limited to upcoming legislative proposals, and include issues around current data protection practices. Regarding the independence of the Information Commissioner’s Office (ICO), for example, the groups highlighted its reticence to take regulatory actions that carry the full force of law.
“In 2024, the ICO published statistics which revealed that they had only taken regulatory action on one complaint out of the 25,582 which they had received, favouring actions that lack the force of law when they did respond,” they wrote.
“We are concerned that the ICO’s overreliance on [these] actions … is a symptom of the political pressure the ICO is receiving to not obstruct innovation or growth for UK businesses at the expense of UK data subjects’ effective right of redress.”
They also highlighted the data regulator’s decision not to formally investigate clear data protection concerns around UK policing’s use of hyperscale public cloud infrastructure, after Computer Weekly revealed in June 2024 that Microsoft could not guarantee the sovereignty of policing data hosted on its Azure platform.
They noted that despite calls from the Scottish Biometrics Commissioner to investigate the problems identified by Computer Weekly, “the ICO refused to intervene … citing concerns that ruling on the legality of the police cloud infrastructure would frustrate the operation of the UK-US Cloud Act Agreement”.
While Computer Weekly’s previous reporting on police hyperscale cloud use has identified major problems with the ability of these services to comply with the UK’s law enforcement-specific data rules, the government’s DUAB changes to police processing are seeking to solve the issues identified by simply removing the requirements that are already not being complied with.
Other serious concerns raised by the civil society groups include the growing use of live facial-recognition (LFR) technology by police, which is progressing “without effective oversight, transparency or mechanism to assess necessity and proportionality”, and the use of secretive Technical Capability Notices (TCNs) to compel service providers to remove encryption at the government’s behest, as the Home Office recently did with Apple.
“Adequacy isn’t a courtesy, it’s a legal guarantee that people’s fundamental rights are protected when their data is sent abroad,” said Itxaso Domínguez de Olazábal, a policy adviser at EDRi.
“The UK is systematically rolling back those protections, and in doing so, it is putting at risk not just EU people’s data, but the principle of rights-based governance itself. If the Commission extends adequacy despite clear divergence, it sends a troubling signal: that data protection is negotiable when trade or geopolitics are at stake.”
Commenting on the letter, Mariano delli Santi, a policy officer at the Open Rights Group, described the DUAB as “the latest in a series of attacks on data protection and privacy in the UK”.
He added: “Successive governments are not only harming the British public with these attacks, but are undermining our relationship with the EU. Losing our adequacy status at a time when the UK is trying to improve its economic outlook would be a costly self-inflicted wound that must be avoided at all costs.”
Computer Weekly contacted the Department for Science, Innovation and Technology (DSIT) about the letter, but received no response by time of publication. Both the department and ministers have previously and repeatedly said the DUAB has been crafted with data adequacy in mind.
Computer Weekly also contacted the EC, but similarly received no response by time of publication.
