When the UK left the EU, the European Commission brought forward legislation which accepted that the UK continued to ensure an adequate level of protection for personal data transferred from the EU. This decision was taken in the context of Regulation (EU) 2016/679 (the General Data Protection Regulation — GDPR) and Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
In December 2025, the Commission published two new Decisions, again taking account of the requirements of the GDPR and the directive on data regarding criminal activity. Decision (EU) 2025/2571 amending Decision (EU) 2021/1773 pursuant to Directive (EU) 2016/680 on the adequate protection of personal data by the United Kingdom can be found here, while Decision (EU) 2025/2574 amending Decision (EU) 2021/1772 pursuant to Regulation (EU) 2016/679 is available here.
Both the original post-Brexit Decisions were set to apply for a limited period as the Commission was aware that the UK might adapt its data protection laws once it was no longer required to follow EU legislation. The period set was four years and expired on 27 June 2025. It was, however, extended until 27 December 2025 to allow time for the Commission to complete its assessment.
Both the new Decisions go into some detail as to the changes which the UK has introduced, including particularly the UK GDPR, but eventually conclude that “the United Kingdom continues to ensure an adequate level of protection for personal data transfers”.
This latest agreement is set to expire on 27 December 2031 with provision for it to be extended.
