EU Commission Data Protection Adequacy Decision

14 July 2021 | Megan Shields

The European Commission has adopted a UK adequacy decision regarding personal data transfers from the EU to the UK. Personal data can continue to flow freely from the EU to the UK, as the data protection regime in the UK has been deemed to offer an equivalent level of personal data protection.

This is good news for businesses, as the uncertainty over the last few months surrounding future personal data exchanges has been removed. Business as usual continues under both the UK and EU GDPR. Provided that the UK does not diverge from its current regime, as some recent government murmurings have suggested, the adequacy decision remains for four years. Do note, however, that the European Commission did caveat this decision: the adequacy decision does not cover immigration data.

The European Commission had published their draft adequacy decision in February. Further progress was made towards UK data adequacy status with the publication of the European Data Protection Board’s (EDPB) Opinion on 13 April on the European Commission’s (EC) draft adequacy decision.

The Opinion agreed with the EC’s assessment that the UK’s law and practice on personal data protection under the General Data Protection Regulation (GDPR) does ensure a degree of personal data protection equal to that offered by European law. This was a positive step for UK businesses with data flows between the EU and the UK, who were all too aware of the impending 30 June 2021 deadline when the adequacy bridge agreed in the 2020 Trade And Cooperation Agreement was set to expire.

While non-binding, the Opinion outlined several areas of concern that the European Commission should monitor, particularly:

  • The UK Data Protection Act’s immigration exemption, believed to restrict data subjects’ rights.
  • Onward transfers of personal data sent to the UK, then transferred to a third country.

For more information or advice please get in touch.

Disclaimer

Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.

The author

Megan Shields
Megan Shields
Partner
  • Global Privacy and Data Protection Compliance
  • GDPR/DPA

Also by Megan Shields