The European Commission (“EC”) has adopted a decision for data transfers to the UK under the GDPR. A separate adequacy decision under the Law Enforcement Directive was also adopted.
The adequacy decision means the EU has recognised the UK as having essentially equivalent data protection rules to the EU, which in turn will facilitate lawful international data transfers under the GDPR.
The decisions enable the free flow of data between the UK and EU (and EEA) to continue. The UK has already recognised the EU as providing an adequate level of data protection.
The adequacy decision was widely expected, but the timing was tight, with the current arrangements under the Brexit deal (where the UK is not considered a third country under the GDPR) due to end on 30 June 2021.
The EC noted that the UK is subject to the European Court of Human Rights’ jurisdiction; must adhere to the European Convention of Human Rights; and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
The adequacy decision will last for four years, at which point it will be reviewed. Interestingly, in the EC’s press release, Věra Jourová, Commission VP for values and transparency, stated they will continue monitoring any divergence from the EU’s data standards and “if anything changes on the UK side, we will intervene.”
Any adequacy decision post-2025 will not be a given. It will largely depend on UK data protection developments in the meantime. There is no automatic continuation if the UK’s standards are deemed to have slipped. Previously, the UK Government has signalled that it intends to rethink data protection provisions – the EU will monitor this closely.
Businesses will be breathing a huge sigh of relief now the UK has an adequacy decision. It will allow the continued free flow of data between the UK and EU (and the EEA). However, any data transfers still need to be subject to the obligations under the GDPR, UK GDPR and Data Protection Act 2018 and any data transfers beyond the EEA (other than to countries which benefit from adequacy rulings) will need to be subject to further safeguards (such as standard contractual clauses or the derogations under Article 49 GDPR) .