European commission adopts two UK adequacy decisions

June 28, 2021


On June 28, 2021, the European Commission adopted two adequacy decisions for the UK. One in relation to the GDPR and the other the Law Enforcement Directive. Following the UK’s exit from the European Union on January 1, 2021, an interim Trade and Cooperation Agreement was in place. This agreement protected international flows of data between the two jurisdictions and was set to expire on June 31, 2021. The European Commission’s adequacy decisions mean that the UK is seen to have ‘an essentially equivalent level of protection to that guaranteed under EU law’ and that personal data is able to flow freely between the UK and the EU. For the first time, the European Commission’s adequacy decisions include a ‘sunset clause’ which means the decisions will automatically expire four years after their entry into force.

Keep Up to Date with The Latest UK Adequacy News with the OneTrust DataGuidance Brexit Portal

Speaking on the European Commission’s two adequacy decisions Didier Reynders, Commissioner for Justice, said: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”

What the UK Adequacy decision means

The European Commission’s press release outlines that the UK’s data protection regime continues to apply the same rules as it did before leaving the EU and that it has incorporated core elements of both the GDPR and the Law Enforcement Directive into its legal system now that the UK has left the EU.

In its decision, the European Commission highlighted that the UK’s legal system provides strong safeguards in relation to personal data accessed by public authorities, which include:

  • The collection of data by intelligence authorities is subject to prior authorization by an independent judicial body
  • Any measure needs to be necessary and proportionate to what it intends to achieve
  • Any person who believes they have been the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal

Additionally, the European Commission’s two UK adequacy decisions include for the first time, a ‘sunset clause’ whereby the adequacy decisions have a strict timeframe of four years from the day they enter into force. Upon the expiration of these four years the adequacy decision can be renewed by the European Commission, only if the UK continues to demonstrate an essentially equivalent level of data protection. During these four years, the European Commission has the power to step in if the UK moves away from its current level of data protection.

Learn how OneTrust can support compliance with data transfer requirements including Schrems II and EDPB guidance

The European Commission’s two UK adequacy decisions will go a long way to settling any remaining Brexit uncertainty. Coming at a time where new Standard Contractual Clauses (SCCs) and EDPB Guidelines are causing headaches for privacy professionals, the UK adequacy decisions adopted by the European Commission can be one less thing to worry about… for now.

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on the UK adequacy decision.

You may also like


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more


Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more