The European Commission (EC) has formally signed off on data adequacy for the UK, allowing the flow of personal data between the European Union and the UK.

Yesterday, it was announced that the Commission has adopted two adequacy decisions for the UK - one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive.

Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.

The decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information.

Both decisions include strong safeguards in case of future divergence such as a “sunset clause”, which limits the duration of adequacy to four years.

Other elements of the adequacy decisions:

  • With respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards. In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to what it intends to achieve. Any person who believes they have been the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal. 
  • Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. 

The announcment has been pending since the EU-UK Trade and Coroperation Agreement came into force as of January 1, 2021. Draft decisions were first published back in February 2021 and shared with the European Data Protection Board for a ‘non-binding opinion’ before being put to EU member states to approve formally. 

Didier Reynders, Commissioner for Justice, said: 

After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.” 


Missed PrivSec Global’s livestream experience? No problem, simply click here to access the sessions on demand.