European Commission Adopts UK Adequacy Decisions Allowing Personal Data to Freely Flow from the EU to the UK

On 28 June 2021, the European Commission announced that it has adopted two adequacy decisions for the UK, one under the General Data Protection Regulation (GDPR) and one under the Data Protection Directive with Respect to Law Enforcement (Law Enforcement Directive) (Adequacy Decisions). The announcement comes just two days before the bridging period for data transfers between the EU and the UK was set to expire. In its assessment, the European Commission has determined the UK’s data protection laws are “essentially equivalent” to the data protection laws ensured within the EU. As a result of the Adequacy Decisions, personal data can continue to freely flow between the EU to the UK without the need for a data transfer safeguard (e.g., Standard Contractual Clauses or SCCs) in place. This announcement comes as very welcome news to many organisations transferring data between the EU and the UK.

The European Commission found that UK’s data protection system continued to be based on the same rules that were applicable when the UK was a Member State of the EU, and the UK had “fully incorporated” the principles, rights, and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system. The European Commission noted that the UK system provides “strong safeguards” in regards to how it handles personal data accessed by public authorities, specifically as it relates to national security.

Additionally, the European Commission noted that both Adequacy Decisions include a sunset clause, which limits the duration of adequacy to four years. After that period, the Adequacy Decisions may be renewed on the condition that the UK continues to provide an adequate level of data protection. During the next four years, the European Commission has stated that it will continue to monitor the legal situation in the UK and could intervene at any point if the UK deviates from the level of protection currently in place.

Finally, the European Commission has excluded transfers for the purposes of UK immigration control from the scope of the GDPR Adequacy Decision in order to reflect a recent judgment of the England and Wales Court of Appeal which deemed the Government’s “immigration exemption” in the Data Protection Act 2018 unlawful. Further, the European Commission outlined that it will reassess the need for this exclusion once the situation has been remedied under English law.

Those engaging in cross-border transfer activities can now breathe a sigh of relief as a result of these Adequacy Decisions for the UK. While companies transferring EU personal data to third countries that have not been found to be adequate (such as the U.S.) will need to continue to navigate the repercussions of new SCCs in light of the Schrems II guidance published by the European Data Protection Board (EDPB) last week. You can read our previous blog posts about the new SCCs here and the EDPB’s Schrems II guidance here.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.