On 28th June 2021, the European Commission (EC) adopted the two draft UK adequacy decisions proposed in February 2021, formally recognising that the UK’s data protection regime offers equivalent protection to EU citizens’ data as afforded by the EU GDPR. The adequacy decisions mean that personal data can continue to flow freely from the EU to the UK.
The adequacy decisions follow months of continuing assessment by the EC of the UK’s data protection regime during the 6-month grace period afforded by the Trade and Co-operation Agreement (TCA) reached in December 2020, which permitted the temporary continued flow of personal data during this time. The TCA also contained commitments by the UK to continue to provide high levels of protection to EU citizens’ data.
Had the EC failed to grant the adequacy decisions, personal data from the EU to the UK would only be permissible if alternative safeguards and mechanisms had been put in place by both the sender and receiver of such data. Continuous and undisturbed data flows are critical in a growingly digitalised world, and many businesses will undoubtedly breathe a sigh of relief that they can continue to receive personal data from the EU without the additional costs of revising existing agreements to incorporate safeguarding mechanisms and avoid the need to conduct time-consuming data mapping exercises.
The Information Commissioner, Elizabeth Denham, has welcomed the formal recognition of the UK’s data protection regime as adequate and stated that “approved adequacy means that businesses can continue to receive data from the EU without having to make any changes to their data protection practices” and this “is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently.”
The UK Government has also welcomed the formal grant of the adequacy decisions on the basis that the free flow of personal data supports trade, innovation and investment, assists law enforcement and intelligence agencies, and supports the delivery of critical public services sharing personal data between the EU and the UK.
The two decisions on the adequate protection of personal data in the UK can be found here.
The adequacy decisions come with a note of caution as they include a ‘sunset clause’. This provision has not (to date) been included in any other adequacy decisions granted to other countries by the EC. The sunset clause will mean that the adequacy decisions automatically expire after a four-year period. Whether the decisions are renewed is dependent upon the UK continuing to afford a sufficient level of protection to personal data – therefore, renewal is not guaranteed.
Over the next four years, the EC shall continue to assess and monitor the UK’s data protection regime and has the right to revoke the adequacy decisions should the UK’s data protection framework deviate from the level of protection currently afforded.
Our expert team of Data Protection Solicitors are able to advise you on the data protection aspects of your business and provide you with the appropriate documentation to ensure your compliance. For further information, you can access our dedicated Brexit Hub section or contact us on 0161 941 4000 or email our data protection specialists.