On 28 June 2021, the European Union (EU) officially adopted the adequacy decisions allowing data to continue flowing freely to the UK. The UK adequacy decisions were adopted just in time as the six-month bridging period agreed under the UK-EU Trade and Cooperation Agreement expired on 30 June 2021. Following over a year of talks, the EU has formally recognised the UK’s high data protection standards, enabling UK businesses to benefit from unrestricted personal data transfers where they can receive personal data from the EU and European Economic Area (EEA), without needing additional arrangements in place with European data exporters.
Third countries without an adequacy agreement, such as the US, do not enjoy such free flow of personal data with EU member states. Instead, data exporters are forced to take steps to assess each transfer individually to determine if and how they can move data legally. In being granted adequacy, businesses in the UK have dodged disruption to their data transfer practices which is particularly helpful for organisations with a large EU customer base or those heavily reliant on service providers based in EU member states.
The two adequacy decisions, one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive (LED), highlight the EU’s belief that personal data in the UK ‘benefits from an essentially equivalent level of protection to that guaranteed under EU law.’
Both of these adequacy decisions include a sunset clause in the case of future divergence by the UK, limiting the duration of adequacy to four years, after which adequacy might be renewed, but only if the UK continues to ensure an adequate level of data protection. Vêra Jourová, the Vice President of the European Commission for Values and Transparency, emphasised these safeguards when explaining the decision to adopt the adequacy decisions, stating that ‘if anything changes on the UK side, we will intervene’.
Commenting on the decision Becky White, our data protection and GDPR expert, stated: ‘This means that UK businesses can relax (for now) in the knowledge that they can continue to receive data from the EU without having to change their existing practices and contracts. The EU has confirmed that it will continue to monitor the UK’s data protection regime over the next four years however, and is able to intervene at any point if it believes the UK does not ensure an adequate level of data protection.’
The adequacy decisions are the latest in a series of recent important EU data protection developments, following the European Commission’s decision to adopt new standard contractual clauses (SCCs) for the transfer of personal data for third countries.