EU Commission adopts data adequacy decision for the UK

The European Union (EU) has formally recognised the UK’s high data protection standards and will allow the continued seamless flow of personal data from the EU to the UK. Formal adoption of the data adequacy decision under the EU General Data Protection Regulation (GDPR) allows personal data to continue to flow from the EU and wider European Economic Area (EEA) to the UK. Following Brexit, the decision means that UK businesses and organisations can continue to receive personal data from the EU and EEA without having to put additional arrangements in place with European counterparts.

Until now, temporary provisions have been in place that were implemented at the end of the Brexit transition period to permit data transfers to continue, but only for a definite period, pending the conclusion of the adequacy process. In February 2021, the EU Commission issued a draft data adequacy decision for the UK, which then had to be ratified by EU Member States before it could be formally adopted. The deadline for this was 1 July 2021, which has now been met. 

The data adequacy decision will expire in four years’ time when the UK’s data protection standards will be reviewed. At this point the UK must be able to show that it provides an adequate level of personal data protection in order for the decision to be renewed.

Commenting on the news Secretary of State for Digital Oliver Dowden said: “After more than a year of constructive talks it is right the European Union has formally recognised the UK’s high data protection standards. This will be welcome news to businesses, support continued cooperation between the UK and the EU and help law enforcement authorities keep people safe. We will now focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people’s safety and privacy.”