28 Jun 2021

EU adopts adequacy decisions for data to flow freely to the UK

The UK’s high data protection standards have formally been recognised by the EU, allowing the continued free flow of personal data from the EEA to the UK.

The European Commission has today, 28th June,  formally adopted two decisions under the EU General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED) to allow personal data to flow freely from the EU and wider European Economic Area (EEA) to the UK.

The adequacy decisions follow an extensive assessment by the European Commission that concluded the UK’s data protection regime provides an ‘essentially equivalent’ level of data protection to the EU GDPR. 

This is positive news for UK and EU businesses which will not be required to put in place an additional legal basis, such as Standard Contractual Clauses (SCCs), to transfer personal data between the UK and the European Economic Area (EEA), allowing data to flow as long as UK and EEA businesses are observing their respective data protection frameworks.

The decisions come just in time before the end of the bridging period on 30 June and will also support UK-EU Trade under the EU-UK Trade and Cooperation Agreement and the digital trade chapter contained within it.

Following the draft decision from the European Commission on the 19th February, and the EDPB finding “strong alignment” between the GDPR and UK data protection framework in its opinions published on the 14th April, EU 27 Member States voted unanimously in favour of the UK adequacy decision in the European Council on 16th June.

A key element to note about the adequacy decision is that transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR. This is in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. The Commission states that it will reassess the need for this exclusion once the situation has been remedied under UK law.

The European Commission will continue to monitor developments in the UK data protection regime very closely, and holds the power to amend, repeal or suspend the decisions if required. The decisions also include a ‘sunset clause’, meaning that the decisions will automatically expire four years after their entry into force and will be reviewed before being renewed.

For more detail about the EU-UK adequacy assessment, process, and what this means for the UK tech industry, click here.

Commenting on these decisions, Julian David, CEO at techUK said:

Securing an EU-UK adequacy decision has been a top priority for techUK and the wider tech industry since the day after the 2016 referendum. The decision that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards and is of vital importance to UK-EU trade as the free flow of data is essential to all business sectors.   The data adequacy decision also provides a basis for the UK and EU to work together on global routes for the free flow of data with trust, building on the G7 Digital and Technology declaration and possibly unlocking €2tn of growth1. The UK must also now move to complete the development of its own international data transfer regime in order to allow companies in the UK not just to exchange data with the EU, but also to be able to access opportunities across the world. I’d also like to thank the UK Government, European Commission and Digital Europe for their hard work throughout this process to make this vital agreement possible.

Julian David