The European Commission has adopted a UK adequacy decision regarding personal data transfers from the EU to the UK. Personal data can continue to flow freely from the EU to the UK, as the data protection regime in the UK has been deemed to offer an equivalent level of personal data protection.
This is good news for businesses, as the uncertainty over the last few months surrounding future personal data exchanges has been removed. Business as usual continues under both the UK and EU GDPR. Provided that the UK does not diverge from its current regime, as some recent government murmurings have suggested, the adequacy decision remains for four years. Do note, however, that the European Commission did caveat this decision: the adequacy decision does not cover immigration data.
The European Commission had published their draft adequacy decision in February. Further progress was made towards UK data adequacy status with the publication of the European Data Protection Board’s (EDPB) Opinion on 13 April on the European Commission’s (EC) draft adequacy decision.
The Opinion agreed with the EC’s assessment that the UK’s law and practice on personal data protection under the General Data Protection Regulation (GDPR) does ensure a degree of personal data protection equal to that offered by European law. This was a positive step for UK businesses with data flows between the EU and the UK, who were all too aware of the impending 30 June 2021 deadline when the adequacy bridge agreed in the 2020 Trade And Cooperation Agreement was set to expire.
While non-binding, the Opinion outlined several areas of concern that the European Commission should monitor, particularly:
- The UK Data Protection Act’s immigration exemption, believed to restrict data subjects’ rights.
- Onward transfers of personal data sent to the UK, then transferred to a third country.
For more information or advice please get in touch.
