European Commission decides UK Data Protection is adequate
1 July 2021
The European Commission has decided that UK Data Protection is adequate, for now.
The European Commission has come to a decision, if not a conclusion, regarding UK data protection adequacy. With the ‘bridging mechanism’ for EU/UK data transfers set to expire in a few days, the decision, although expected, was certainly cutting it close.
Although the UK had already decided that the EU and EEA offered adequate protection for the flow of data from the UK to the EU, the ‘bridging mechanism’ provided a temporary grace period for data flows to continue from the EU to the UK. This gave the EC time to assess UK adequacy under the GDPR and Law Enforcement Directive.
The decision gives a degree of certainty to organisations involved in cross border data transfers and reassures EU Citizens that their personal data will be protected if it is transferred to the UK. The Commission has concluded that, post Brexit, the UK continues to adhere to obligations set out under the GDPR and Law Enforcement Directive, respecting their overarching rights and underlying principles, and that these have been incorporated into UK law. Also acknowledged were the strong safeguards in place within the UK for public authority access to personal data, particularly with respect to national security implications.
Interestingly, the Commission has included a ‘Sunset Clause’ for the first time in an adequacy decision. What this means is that the decisions will automatically expire after four years in effect but can be automatically renewed provided that the UK continues to demonstrate an adequate commitment to the protection of personal data. The Commission also has the right to revisit their adequacy decision if they determine that the UK has deviated too far from the current adequate levels of protection.
Both the EU and UK have welcomed the decision, with businesses especially pleased as it means that they can continue to send to and receive data from the EU without having to make changes to current data protection practices.
Following the Brexit vote in June of 2016, the implications of data protection legislation have been hanging over much of the data related decision making for both UK and EU businesses and while this solves an important issue for now, there continues to be the possibility that the Commission will change its mind if the UK changes their current practice. Added to the ‘sunset clause’, this means that this decision may yet be overturned in 2025. The EU will be closely watching the UK’s performance on Data Protection, the relevant safeguards and equivalency for many years to come.
If you would like to learn more about how to ensure you are covered with respect to all obligations, principles and rights as laid out within both the GDPR and Law Enforcement Directive, as well as other information security obligations, then please reach out to Peter Friis or one of our other EU legislative experts. We would be happy to help you navigate the extensive legislative requirements and talk you through how to protect the private information that has been entrusted to you.Back to all news
- EPO’s ten day postal rule abolished2 October 2023
- Zacco ranked as a Top Tier Patent Prosecution firm 2023 by Managing IP10 July 2023
- IAM Patent 2023 – Zacco ranked as a top IP firm, alongside 27 colleagues30 June 2023
- Zacco wins Nordic Firm of the Year 2023 at the Managing IP Awards!22 June 2023
- Hybrid IP Portfolio Management – webinar recording available19 June 2023
- IP Stars 2023 – Eighteen Zacco practitioners ranked as IP Stars by Managing IP22 May 2023
- Redemption notice Zacco A/S shares28 April 2023
- Zacco shortlisted in 11 categories at the Managing IP EMEA Awards 2023!28 April 2023
- Lone Prehn announced as one of the Top 250 Women in IP – 202327 April 2023
- ZACCO A/S – Notice of extraordinary general meeting19 April 2023