Skip to content

EU Adopts Adequacy Decisions Allowing Data Flow to the UK

August 6, 2021

Personal data can continue to flow freely between Europe and the United Kingdom (UK) following an agreement by the European Union (EU) to adopt an Adequacy Decision under Article 45 of Regulation 2016/679 (the General Data Protection Regulation or GDPR) regarding the UK.

Transfers of personal data (as defined in the GDPR) to countries outside of the European Economic Area (EEA)(so-called “Third Countries”) are not, courtesy of Article 44 GDPR, permitted except where there is an Adequacy Decision, appropriate safeguards such as Standard Data Protection Clauses (issued in pre-approved form by the Commission), or Binding Corporate Rules (which must be approved by the Commission on a case-by-case basis). The Schrems II decision in July 2020 invalidated the Privacy Shield regime which previously legitimized transfers of personal data from the EEA to the USA. This has brought the other above-mentioned means of legitimate data transfers into sharp focus.

In the aftermath of Brexit, many wondered how data transfers would work between the EU and the UK, since from the effective date of the UK’s withdrawal from the EU (31 December 2020), the UK would be considered a Third Country and, therefore, subject to the Article 44 restriction.

The adoption by the European Commission of an Adequacy Decision involves:

  1. A proposal from the Commission;
  2. An opinion from the European Data Protection Board (which replaced the Article 29 Working Group);
  3. An approval from representatives of EU member states; and
  4. An adoption of the Decision by the Commission.

The purpose of this four-step process is for the Commission to assess if a Third Country provides an adequate level of data protection. The European Commission has previously issued Adequacy Decisions for Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.

Given the level of trade between the UK and the EU (approximately 50% of the UK’s imports and exports as of 2020) and the necessary corollaries in levels of transfers of personal data, ensuring that future transfers would be in compliance with GDPR requirements was high on the agenda of post-Brexit tasks. The process commenced in Feb. 2021 and was completed just four months later on 28 June 2021 when the Adequacy Decision was adopted. The previous average for an Adequacy Decision was 28 months, so the pace at which this has been completed indicates the political will and economic importance placed on the process.  The GDPR Adequacy Decision was accompanied by a simultaneous Adequacy Decision under the Law Enforcement Directive which works hand in glove with the GDPR in respect of policing and security data transfers.

The UK Adequacy Decision process will have incorporated a scrutinization of the UK’s legislative framework as well as its international commitments and the functioning of the Information Commissioner’s Office (the relevant UK Supervisory Authority for data protection). It is almost certain that the UK’s adoption of GDPR as national legislation (albeit a “frozen” version of GDPR as it stands in 2020) will have had a significantly positive impact on this assessment. As against this, the Commission will have weighed its concerns regarding the UK’s surveillance regime under the Investigatory Powers Act 2016.

The adoption of the Adequacy Decision(s) is to be welcomed by businesses involved in trade with the UK and/or dealings with UK companies to whom personal data on EU data subjects is transferred.  The adoption by the UK of GDPR does, however, carry a risk, if not a certainty, of a measure of divergence on data protection laws in the future. As this evolves, it is possible that the Commission could exercise its power to revoke the Adequacy Decisions. With this leverage comes the prospect that, in reality, the UK arguably remains subject to the ongoing development of EU data protection law.

Subscribe for the latest

Subscribe

Related

Event

Webinar: Special Education Bootcamp - Compliance Foundations Under IDEA

Whether you are new to special education leadership or looking to reinforce your foundational knowledge, this interactive webinar will provide a comprehensive overview of the core compliance requirements under the Individuals with Disabilities Education Act (IDEA). Designed for school leaders who are responsible for ensuring legally sound practices, this session will offer practical tools and strategies to help participants navigate common procedural and substantive pitfalls, support sound decision-making, and build a compliant and student-centered special education program.

Explore more
Event

Telehealth Week Webinar 2025: Navigating Legal Changes and Future Trends for Healthcare Providers

Join Paul Schmeltzer, Carrie Foote, and John Howard for our one-hour annual Telehealth Week webinar, focused on the evolving legal landscape of telehealth. This session will cover key topics, including the upcoming DEA final rule on prescribing controlled substances via telehealth, federal reimbursement concerns for telehealth, and what healthcare providers need to prepare for other upcoming changes.

Explore more
Event

Webinar: The Transatlantic Tightrope: AI, ESG and the Evolving Duty of Care for Multinational Companies

Join Mariah Leffingwell and Sam Saarsteiner for a conversation, moderated by co-chair of Clark Hill’s ESG & Sustainability advisory practice, Maram Salaheldin,  that bridges the Atlantic—and the gap between innovation and accountability—as they explore how today’s duty of care must adapt to tomorrow’s technologies.

Explore more