On June 28, 2021, the European Commission adopted two adequacy decisions for the UK. One in relation to the GDPR and the other the Law Enforcement Directive. Following the UK’s exit from the European Union on January 1, 2021, an interim Trade and Cooperation Agreement was in place. This agreement protected international flows of data between the two jurisdictions and was set to expire on June 31, 2021. The European Commission’s adequacy decisions mean that the UK is seen to have ‘an essentially equivalent level of protection to that guaranteed under EU law’ and that personal data is able to flow freely between the UK and the EU. For the first time, the European Commission’s adequacy decisions include a ‘sunset clause’ which means the decisions will automatically expire four years after their entry into force.

Keep Up to Date with The Latest UK Adequacy News with the OneTrust DataGuidance Brexit Portal

Speaking on the European Commission’s two adequacy decisions Didier Reynders, Commissioner for Justice, said: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”

What The UK Adequacy Decision Means

The European Commission’s press release outlines that the UK’s data protection regime continues to apply the same rules as it did before leaving the EU and that it has incorporated core elements of both the GDPR and the Law Enforcement Directive into its legal system now that the UK has left the EU.

In its decision, the European Commission highlighted that the UK’s legal system provides strong safeguards in relation to personal data accessed by public authorities, which include:

Additionally, the European Commission’s two UK adequacy decisions include for the first time, a ‘sunset clause’ whereby the adequacy decisions have a strict timeframe of four years from the day they enter into force. Upon the expiration of these four years the adequacy decision can be renewed by the European Commission, only if the UK continues to demonstrate an essentially equivalent level of data protection. During these four years, the European Commission has the power to step in if the UK moves away from its current level of data protection.

Learn how OneTrust can support compliance with data transfer requirements including Schrems II and EDPB guidance

The European Commission’s two UK adequacy decisions will go a long way to settling any remaining Brexit uncertainty. Coming at a time where new Standard Contractual Clauses (SCCs) and EDPB Guidelines are causing headaches for privacy professionals, the UK adequacy decisions adopted by the European Commission can be one less thing to worry about… for now.

Further reading on the UK Adequacy Decision:

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on the UK adequacy decision.