The European Commission has announced its decision to adopt two ‘adequacy’ decisions for the UK, one under the General Data Protection Regulation (GDPR) and one under the Law Enforcement Directive, allowing the continued free flow of personal data from the European Union (EU) to the UK.
The GDPR permits the European Commission to determine whether a country outside the EU provides an ‘adequate’ level of protection for personal data, equivalent to the level of protection guaranteed under European law.
If it is determined a third country (outside the EEA or EU) provides an adequate level of protection, an adequacy decision is granted which permits the free flow of personal data without the need for additional safeguards.
Had the UK’s data protection standards not been deemed ‘adequate’, businesses and organisations processing EU personal data would have needed to put additional arrangements in place or rely on exemptions provided in data protection law.
The UK operates an independent data policy and has already recognised the EU and EEA member states as ‘adequate’.
The free flow of personal data supports trade, innovation and investment, helps tackle serious crime and terrorism, supports the delivery of critical public services and facilitates research.
Danielle Amor, a director at Pannone Corporate, described the Commission’s adequacy decision as a “huge relief”, amidst “concern the UK’s processing of personal data on the grounds of national security could preclude or delay such a decision”.
She added: “Personal data can now continue to flow freely… without the need for standard contractual clauses and other bespoke safeguarding measures. It would have been costly and cumbersome for such measures to have been adopted by all businesses relying on EU/UK cross-border transfers of data.
“Of course, many businesses will have already put such measures in place given that the interim data transfer measures agreed pursuant to the EU-UK Trade and Co-Operation Agreement, which expired on 30 June 2021.
“That said, the adequacy decision contains a sunset clause meaning it must be renewed in four years’ time and, should the UK decide to depart from the GDPR, we can expect the Commission to reassess its position.”
The Law Society welcomed the announcement, but also urged caution.
Society president, I. Stephanie Boyce, said: "The decision brings much needed certainty… Having urged our members for some months to hope for the best but prepare for the worst on this issue we're delighted with today's outcome."
However, she added: “Despite this being positive news, we would nevertheless recommend that members regularly review their contingency planning.
“Though adopted, adequacy decisions are time-limited, subject to review and may even be challenged in the future, especially if the UK diverges from EU regulation.”
The European Commission’s statement on the adequacy decisions said both decisions “include strong safeguards in case of future divergence, such as a ‘sunset clause', which limits the duration of adequacy to four years”.
Věra Jourová, the European Commission’s vice-president for values and transparency, said: “… we have listened very carefully to the concerns… in particular on the possibility of future divergence from our standards in the UK's privacy framework.
“We are talking here about a fundamental right… that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene”.
techUK CEO, Julian David, said: “Securing an EU-UK adequacy decision has been a top priority for techUK and the wider tech industry since the day after the 2016 referendum.
“The decision that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards and is of vital importance to UK-EU trade as the free flow of data is essential to all business sectors”.
He added: “The data adequacy decision also provides a basis for the UK and EU to work together on global routes for the free flow of data with trust, building on the G7 Digital and Technology declaration and possibly unlocking €2 trillion of growth.
“The UK must also now move to complete the development of its own international data transfer regime in order to allow companies in the UK not just to exchange data with the EU, but also to be able to access opportunities across the world.”...