The European Union (EU) has formally granted the UK adequacy status, allowing the flow of personal data between the two regions to continue seamlessly.
Earlier today, it was announced that the EU adopted two adequacy decisions for the UK – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. These acknowledge that UK data protection rules are “essentially equivalent” to EU standards in both areas.
The decisions by the EU Commission will be of significant relief to businesses operating in the two jurisdictions, as it means additional arrangements will not be needed to allow data to be transferred from the EU to the UK.
The announcement has been pending ever since the EU-UK Trade and Cooperation Agreement, which governs the UK and EU’s future trading relationship following the Brexit transition period, came into force as of January 1 2021.
The EU commission first published draft decisions granting the UK adequacy status in the two areas back in February 2021. Still, these had to be shared with the European Data Protection Board for a ‘non-binding opinion’ before being put to EU member states to approve formally. The board then gave approval to these draft decisions in April but highlighted a number of areas that required further assessment, including “the role and powers of the security services.”
There were concerns the latter could prove to be a sticking point, especially as it formed the basis of the ‘Schrems II’ decision in June 2020 by the Court of Justice of the European Union, which invalidated the privacy shield between the EU and US. However, these fears have proven to be unfounded, with the Commission acknowledging that the UK’s system allows for solid safeguards regarding access to personal data by public authorities, notably for national security reasons.
The EU did emphasize that both adequacy decisions include safeguards if the UK diverges from its current arrangements in the future. These include a ‘sunset clause,’ limiting the duration of the adequacy to four years.
Didier Reynders, EU Commissioner for Justice, commented: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future, and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection, and these must not be compromised when personal data is transferred abroad.”
The UK Secretary of State for Digital, Oliver Dowden, welcomed the decisions, stating: “After more than a year of constructive talks it is right the European Union has formally recognized the UK’s high data protection standards.
“This will be welcome news to businesses, support continued cooperation between the UK and the EU, and help law enforcement authorities keep people safe.
“We will now focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people’s safety and privacy.”