GDPR Adequacy for the UK

As predicted, on 28 June 2021 the European Commission adopted two adequacy decisions for the United Kingdom – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. These decisions mean that personal data can continue to flow freely from the EU’s Member States to the UK, and the EU will consider such personal data to enjoy an ‘essentially equivalent’ level of protection to that under EU law. The adoption occurred just in time, as the previous interim regime had been due to expire on 30 June 2021.

Such a move by the European Commission avoids the ‘worst-case’ scenario that could otherwise have arisen, where businesses would have had to scramble to put various onerous and expensive legal and administrative safeguards in place to ensure personal data would be secure.

While the European Commission states that the current data protection rules in the UK ‘closely mirror’ the corresponding rules in the EU, it is conceivable that, as Brexit fades into memory, the UK and EU will diverge in their respective attitudes to personal data protection, which could manifest itself in different legislation. Recent comments by the UK’s Secretary of State for Digital, that the UK Government is planning to reform data protection law to allow information to flow more freely and drive growth in the digital economy, would seem to support this view. Time will tell.

If you need any legal advice on data protection and transfers, contact our specialists.