European Commission decides UK Data Protection is adequate
1 July 2021
The European Commission has decided that UK Data Protection is adequate, for now.
The European Commission has come to a decision, if not a conclusion, regarding UK data protection adequacy. With the ‘bridging mechanism’ for EU/UK data transfers set to expire in a few days, the decision, although expected, was certainly cutting it close.
Although the UK had already decided that the EU and EEA offered adequate protection for the flow of data from the UK to the EU, the ‘bridging mechanism’ provided a temporary grace period for data flows to continue from the EU to the UK. This gave the EC time to assess UK adequacy under the GDPR and Law Enforcement Directive.
The decision gives a degree of certainty to organisations involved in cross border data transfers and reassures EU Citizens that their personal data will be protected if it is transferred to the UK. The Commission has concluded that, post Brexit, the UK continues to adhere to obligations set out under the GDPR and Law Enforcement Directive, respecting their overarching rights and underlying principles, and that these have been incorporated into UK law. Also acknowledged were the strong safeguards in place within the UK for public authority access to personal data, particularly with respect to national security implications.
Interestingly, the Commission has included a ‘Sunset Clause’ for the first time in an adequacy decision. What this means is that the decisions will automatically expire after four years in effect but can be automatically renewed provided that the UK continues to demonstrate an adequate commitment to the protection of personal data. The Commission also has the right to revisit their adequacy decision if they determine that the UK has deviated too far from the current adequate levels of protection.
Both the EU and UK have welcomed the decision, with businesses especially pleased as it means that they can continue to send to and receive data from the EU without having to make changes to current data protection practices.
Following the Brexit vote in June of 2016, the implications of data protection legislation have been hanging over much of the data related decision making for both UK and EU businesses and while this solves an important issue for now, there continues to be the possibility that the Commission will change its mind if the UK changes their current practice. Added to the ‘sunset clause’, this means that this decision may yet be overturned in 2025. The EU will be closely watching the UK’s performance on Data Protection, the relevant safeguards and equivalency for many years to come.
If you would like to learn more about how to ensure you are covered with respect to all obligations, principles and rights as laid out within both the GDPR and Law Enforcement Directive, as well as other information security obligations, then please reach out to Peter Friis or one of our other EU legislative experts. We would be happy to help you navigate the extensive legislative requirements and talk you through how to protect the private information that has been entrusted to you.
Back to all newsOther news
- EU Trademark applications drop to lowest rate since 201922 March 2023
- New Associate Patent Attorney x 2: Welcome, Markus Engstrand and Tobias Viskers6 March 2023
- The Unified Patent Court and Unitary Patent system officially starts 1st June 2023!17 February 2023
- MetaBirkin Result provides early case law in growing area of NFT infringements15 February 2023
- WTR 1000 2023 ranks Zacco and 19 colleagues7 February 2023
- Zacco welcomes two Digital Brand experts to the team: Alexander Karlsson and Renaud Permezel26 January 2023
- Copyright chaos creates Christmas classic22 December 2022
- Season’s Greetings 202216 December 2022
- Lone Prehn wins Client Choice Awards 2022 for Trademarks in Denmark15 November 2022
- Zacco supports and partners with Star for Life Ukraine28 October 2022