UK: European Commission adopts UK adequacy decisions
The new adequacy decisions have been adopted under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED).
This confirms the EU’s acceptance that the UK’s data protection regime is substantially equivalent to the EU regime and allows personal data to flow freely from the EU and wider European Economic Area (EEA) to the UK. This announcement has been welcomed by the UK government and is good news for both UK and EU and EEA businesses which depend on the ongoing transfer of data to the UK, particularly those in the insurance, health, and technology sectors. Failure to secure an adequacy decision, would, it is estimated, have cost UK business upwards of £1.6billion. The UK has previously recognised the EU and EEA member states as adequate.
The formal adequacy agreement will run for four years after which it will be subject to review and extension if the level of data protection in the UK continues to be adequate. The EC will continue to monitor the legal situation in the UK during these four years and could intervene at any point. The temporary interim provision under the Brexit Trade Deal has now come to an end, as the final adequacy decision has been issued by the EC.
Following the end of the Brexit transition period, the UK data processing regime is now governed by the UK GDPR and the Data Protection Act 2018, which are derived from and almost identical in substance to the EU GDPR and the LED. The EU has also issued adequacy decisions to other third nations including Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay.
Key Action Points for Human Resources and In-house Counsel
As a result of the EU approved adequacy decisions, personal data can continue to flow freely from the EU to the UK as it did before the UK left the EU. Although both decisions are expected to last until 27 June 2025, employers should keep this under review as the European Commission will continue to monitor the situation and could intervene at any point. Further guidance is published on the Information Commissioner’s Office (ICO) website.