British businesses and NHS face huge extra costs if crucial UK-EU data agreement is not reached, Lords committee warns

British businesses and organisations such as the NHS will be hit by “significant” extra costs and red tape if the UK loses the right to exchange citizens' personal data seamlessly with the EU, according to an influential cross-party House of Lords Committee.

The situation also risks serious damage to UK's reputation as a destination for international investment, and triggering a decline in UK innovation.

These are the stark warnings contained in a letter to the Government from the Lords European Affairs Committee, chaired by former senior diplomat Lord Peter Ricketts.

The letter follows a 7-month inquiry by the Committee during which peers were warned of the consequences of losing “data adequacy” – the process whereby the EU recognises the UK's data regime, including GDPR, and so permits data to be freely transferred back and forth.

The Commission granted adequacy status to the UK in June 2021, but this runs out on 27 June 2025, at which point it has to decide whether to extend the status or let it expire.

Experts told the Committee that losing data adequacy would increase friction as well as costs in trade and other interactions between the UK and EU, which would “probably feed through into higher prices for consumers and probably reduce consumer choice (and) hurt consumer confidence”.

The Committee's letter urges the Government to engage in early talks with the Commission in Brussels, and other EU stakeholders, to ensure the UK maximises the prospects of achieving agreement in the first half of 2025.

The use of personal data is at the heart of modern life. Effective arrangements for exchanging this data safely are fundamental to fuelling economic growth in all areas of society, from medical breakthroughs, to helping people travel, manage their finances and shop online, and developing technologies such as artificial intelligence.

Lord Ricketts said: “The UK faces a potential cliff-edge in June 2025 unless agreement is reached with the EU on the continued free flow of data. The safe and effective exchange of data underpins our trade and economic links with the EU and cooperation between our law-enforcement bodies. The loss of data adequacy would create new barriers and run completely counter to the Government's ambitions to grow the economy and reset relations with the EU. We recommend that reaching timely agreement on data adequacy should be integral to the reset, and the Government's top data protection priority.” 

He added: “The UK's current GDPR regime is far from perfect. But the consequences of not reaching agreement with the EU are extremely harmful. There is clearly scope to reform and improve GDPR as part of the Government's new Digital Information and Smart Data Bill. But this must not jeopardise the UK's adequacy status.”

The Committee's letter, addressed to the Rt Hon Peter Kyle MP, Secretary of State for Science, Innovation and Technology, emphasises that losing adequacy would “raise new barriers to international trade and economic co-operation, and trust in the UK's digital economy, running counter to the Government's objective of boosting economic growth. Losing adequacy would also have an adverse impact on Northern Ireland”.

To limit uncertainty, the Committee recommends that the Government “engages early with the Commission and other EU stakeholders with a view to ensuring that the adequacy renewal process is on a positive track, and providing reassurance as soon as possible about the retention of adequacy status”.

The Government should also explore the prospects for securing future adequacy renewal decisions from the Commission which do not expire after a fixed period. It should engage with the EU in good time to explain and provide reassurances on any planned data protection reforms.

The Committee recommends that the Government be fully engaged in the wider debate about the future of international data flows, to ensure that the outcome serves UK interests.  Peers drew attention to the fact that the UK, in addition to having EU adequacy status, is a member of the emerging Global Cross-Border Privacy Rules system. This gives the UK the opportunity to act as a trusted and responsible “data bridge” as international data protection policies evolve.  

Committee members heard examples of ways in which losing adequacy status could cause significant problems across a range of areas – from fighting crime to banking and legal services, and medical treatment both in the NHS and for UK citizens abroad. The NHS Confederation and Understanding Patient Data estimated that the cost to the NHS of any loss of adequacy could be in the “tens of millions of pounds”. The Northern Ireland Human Rights Commission (NIHRC) and Equality Commission for Northern Ireland (ECNI) also warned that any loss of adequacy status by the UK would raise serious difficulties for individuals and institutions there.

Other witnesses cited a study by the New Economics Foundation/UCL European Institute which suggested that failing to secure adequacy status would impose additional compliance costs on UK businesses of £1.0-1.6 billion. The Information Commissioner, John Edwards, added that he had seen a range of estimates, but that the cost would be “enormous”.