(fra kommisjonsbeslutningen)

(1) Commission Implementing Decision (EU) 2021/1773 (2) concludes that for the purposes of Article 36 of Directive (EU) 2016/680, the United Kingdom ensures an adequate level of protection for personal data transferred from the European Union to the United Kingdom within the scope of that Directive.

(2) When adopting Implementing Decision (EU) 2021/1773, the Commission took into account that, with the end of the transition period provided by the Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community (3) and once the interim provision under Article 782 of the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part (4) would have ceased to apply, the United Kingdom may adopt, apply and enforce a new data protection regime, different to the one in place when it was bound by Union law.

(3) As this may have involved amendments to the data protection framework assessed in Implementing Decision (EU) 2021/1773 or other relevant developments, it was considered appropriate to provide that that Decision would apply for a period of four years as of its entry into force. Implementing Decision (EU) 2021/1773 was therefore set to expire on 27 June 2025, unless extended in accordance with the procedure referred to in Article 58(2) of Directive (EU) 2016/680.

(4) To decide on a possible extension of Implementing Decision (EU) 2021/1773, the Commission must assess whether the conclusion that the United Kingdom ensures an adequate level of protection remains factually and legally justified in light of developments that took place since the adoption of Implementing Decision (EU) 2021/1773 with respect to the elements listed in Article 36(2) of Directive (EU) 2016/680.

(5) In particular, on 23 October 2024, the UK Government introduced the Data (Use and Access) Bill (5) into the UK Parliament, proposing amendments to the Data Protection Act 2018 (DPA 2018) which is assessed in Implementing Decision (EU) 2021/1773. The Commission on 24 June 2025 adopted Commission Implementing Decision (EU) 2025/1225 (6), which extended the validity of Decision (EU) 2021/1773 for a period of six months until 27 December 2025. This time-limited technical extension allowed the Commission to finalise its assessment of the adequate level of protection for personal data provided by the United Kingdom on the basis of a stable legal framework, i.e. after the conclusion of the relevant legislative process.

(6) Since the adoption of Implementing Decision (EU) 2021/1773, the Commission monitored, on an ongoing basis, relevant developments in the United Kingdom (7). In accordance with recital 165 of Implementing Decision (EU) 2021/1773 special attention was paid to the application in practice of the United Kingdom rules on transfers of personal data to third countries, and the impact it may have on the level of protection afforded to data transferred under Implementing Decision (EU) 2021/1773, and to the effectiveness of the exercise of individual rights, including any relevant development in law and practice concerning the exceptions to or restrictions of such rights. Amongst other elements, case law developments and oversight by the Information Commissioner’s Office (ICO) and other independent bodies informed the Commission’s monitoring.

(7) Based on the assessment of these developments, including the amendments to the DPA 2018 introduced by the Data (Use and Access) Act, the Commission concludes that the United Kingdom continues to ensure an adequate level of protection for personal data transferred within the scope of Directive (EU) 2016/680 from the European Union to the United Kingdom.