European Commission decides UK Data Protection is adequate

1 July 2021

The European Commission has decided that UK Data Protection is adequate, for now.

The European Commission has come to a decision, if not a conclusion, regarding UK data protection adequacy. With the ‘bridging mechanism’ for EU/UK data transfers set to expire in a few days, the decision, although expected, was certainly cutting it close.

Although the UK had already decided that the EU and EEA offered adequate protection for the flow of data from the UK to the EU, the ‘bridging mechanism’ provided a temporary grace period for data flows to continue from the EU to the UK. This gave the EC time to assess UK adequacy under the GDPR and Law Enforcement Directive.

The decision gives a degree of certainty to organisations involved in cross border data transfers and reassures EU Citizens that their personal data will be protected if it is transferred to the UK. The Commission has concluded that, post Brexit, the UK continues to adhere to obligations set out under the GDPR and Law Enforcement Directive, respecting their overarching rights and underlying principles, and that these have been incorporated into UK law. Also acknowledged were the strong safeguards in place within the UK for public authority access to personal data, particularly with respect to national security implications.

Interestingly, the Commission has included a ‘Sunset Clause’ for the first time in an adequacy decision. What this means is that the decisions will automatically expire after four years in effect but can be automatically renewed provided that the UK continues to demonstrate an adequate commitment to the protection of personal data. The Commission also has the right to revisit their adequacy decision if they determine that the UK has deviated too far from the current adequate levels of protection.

Both the EU and UK have welcomed the decision, with businesses especially pleased as it means that they can continue to send to and receive data from the EU without having to make changes to current data protection practices.

Following the Brexit vote in June of 2016, the implications of data protection legislation have been hanging over much of the data related decision making for both UK and EU businesses and while this solves an important issue for now, there continues to be the possibility that the Commission will change its mind if the UK changes their current practice. Added to the ‘sunset clause’, this means that this decision may yet be overturned in 2025. The EU will be closely watching the UK’s performance on Data Protection, the relevant safeguards and equivalency for many years to come.

If you would like to learn more about how to ensure you are covered with respect to all obligations, principles and rights as laid out within both the GDPR and Law Enforcement Directive, as well as other information security obligations, then please reach out to Peter Friis or one of our other EU legislative experts. We would be happy to help you navigate the extensive legislative requirements and talk you through how to protect the private information that has been entrusted to you.