UK - DATA
The European Commission adopted two final adequacy decisions which enabled the continued unrestricted flow of personal data between the EU and UK until 27 June 2025 or should the UK materially diverge and weaken privacy protections. This followed the Brexit Agreement between the UK and EU which granted an interim data transfer window and the publication of draft adequacy decisions.
Key date(s)
- 24 December 2020 – The EU-UK Trade and Cooperation Agreement (the “Brexit Agreement”) provides a temporary window whereby EU-UK data transfers will not be treated as transfers to a third country subject to Chapter V of the GDPR from 1 January 2021 until either 1 May or 1 July 2021 (the “Transfer Window”).
- January 2021 – The European Data Protection Board (“EDPB”) updates its: (i) ‘Statement on the end of the Brexit transition period’ (the “EDPB Statement”); and (ii) ‘Information note on data transfers under the GDPR to the United Kingdom after the transition period’ (the “EDPB Information Note”). The Information Commissioner’s Office publishes its response to the Brexit Agreement (the “ICO Response”).
- 19 February 2021 – The European Commission publishes draft adequacy decisions for the UK for GDPR and Law Enforcement Directive purposes (the “Draft Decision”).
- 28 June 2021 – The European Commissions adopts final adequacy decisions for the UK for GDPR and Law Enforcement Directive purposes (the “Final Decision”).
- 27 June 2025 – The end of the sunset clause in the Final Decision, after which adequacy will need to be renewed.
Status
- On Christmas Eve, negotiations between the EU and UK cumulated in the announcement of the Brexit Agreement, which sets out the future cooperation between the UK and EU in a number of areas. Prior to the Brexit Agreement, there were concerns about how data flows between the EU and UK would be governed after 31 December 2020, the end of the transition period.
- In the absence of an adequacy decision granted by the European Commission (a seal of approval that the UK provides equivalent protection for the personal data of EU subjects) on 1 January 2021 the UK would have been treated as a third country, requiring organisations to put in place adequate safeguards such as standard data protection clauses, binding corporate rules, intra-group agreements, or other codes of conduct.
- Article FINPROV.10A (Interim provision for transmission of personal data to the United Kingdom) of the Brexit Agreement put in place the Transfer Window, enabling business-as-usual from a data perspective during the period the Transfer Window is in place until either: (i) an adequacy decision was granted; (ii) 1 May 2021; or (iii) if extended, 1 July 2021.
- The Transfer Window granted more time for the various necessary EU bodies to review and make a determination regarding UK adequacy, with the Draft Decision marking the launch of this process (itself comprised of two draft adequacy decisions: (i) under the EU GDPR, for personal data processed other than by the law enforcement sector; and; (ii) under the EU Law Enforcement Directive, for personal data processed by the law enforcement sector).
- The Draft Decision in respect of the UK’s adequacy status was published by the European Commission on 19 February 2021, setting in place the process for a final adequacy decision.
- The Final Decision was issued by the European Commission on 28 June 2021, just before the end of the Transfer Window
What it hopes to achieve
- Adoption of the Final Decision enables the continued, unrestricted flow of personal data between the EU and UK.
- As well as noting the strong safeguards within UK data protection legislation which mitigates potential public authority access, notably the Final Decision includes a 4 year sunset clause, ending on 27 June 2025 (after which the Final Decision will expire).
- The Final Decision will only be renewed (and indeed could be prematurely ended) if there is material deviation by the UK to the detriment of the level of privacy protection for individuals which is currently in place
Who does it impact?
- The Final Decision impacts all entities with an EU nexus, be it though international offices across the EU and UK or disaggregated supply chains, where personal data is transferred between the EU and UK.
- If the Final Decision is not renewed after the end of the sunset clause (or prematurely ended due to material divergence), this will require all such businesses to put in place appropriate contractual, operational, and technical safeguards to continue to facilitate such flows of personal data
Key points
- Concerns over UK surveillance powers
-
- The surveillance powers of the UK Government was considered a concern prior to the granting of the Final Decision, and privacy activist Max Schrems, who is responsible for the litigation which resulted in the Schrems II judgement invalidating the US-EU Privacy Shield, has commented that "there are obviously issues on UK government surveillance on EU data".
- In being granted, it was noted by the Final Decision that such surveillance was subject to strong safeguards ensuring privacy, however if the adequacy decision becomes the subject of litigation, this may endanger its validity.
- Ongoing adequacy assessment
-
- Prior to the Final Decision, the UK seemed to have a strong case for being granted an adequacy decision – the EU GDPR has been transposed into domestic law as the UK GDPR, and its data protection framework is currently identical to that of the EU, exceeding the required standard that it is “essentially equivalent”.
- However, post-Brexit, the UK has the autonomy to diverge from the European framework and the Final Decision could be revoked in future, particularly in light of questions around the UK’s surveillance powers which were previously criticised by the European Court of Justice.
- For the first time also, an adequacy decision includes a sunset clause, requiring the Final Decision to be renewed by 27 June 2025, highlighting the concern the European Commission perhaps has of the UK’s potential to weaken privacy protections by way of divergence.
- Continued compliance with EU GDPR
-
- Should divergence occur and the Final Decision be revoked, UK organisations will need to continue to comply with the EU GDPR to the extent they are caught by the offering and monitoring tests under Article 3(2).
- Sub title key point
- The Government intends for the new regulatory regime to complement other objectives of wider digital policy and regulatory interventions such as the new Online Harms regime and the National Data Strategy.
- Sub title key point
- Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus laoreet non risus at ultrices. Vivamus tempor purus sit amet rhoncus ultricies. Duis semper tortor quis sem vulputate, nec varius arcu mattis.
- Sub title key point
- Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus laoreet non risus at ultrices. Vivamus tempor purus sit amet rhoncus ultricies. Duis semper tortor quis sem vulputate, nec varius arcu mattis.
This blog post provides an overview of a key recent or upcoming development in digital regulation in the UK or EU as part of our horizon scanning timeline which can be found below.
Contacts
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.