EU hands down positive GDPR adequacy decision in the nick of time

The decision, made on 28 June 2021, recognises that the UK's data protection standards are "adequate" which enables the continued free flow of data between the UK and EU.

Vice-President of the European Commission, Vera Jourava, explained the thinking behind the long awaited decision: "The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today."

Back in January we predicted that the Adequacy decision would not be straightforward given the EU's nervousness that the UK is keen to move away from the core principles of GDPR in the future.

Cutting it fine

The decision came with just two days to spare and should be seen as a big win for businesses on both sides of the channel.

Had the EU declined to accept UK data protection standards as adequate it could have cost UK firms up to £1.6bn (New Economics Foundation).

'Sunrise, Sunset'

Businesses should rightly take a sigh of relief but there are likely to be further tensions surrounding the EU's attitudes to UK data protection standards.

The "Sunset clause" within the decision means it will expire automatically after four years. After this period the UK will have to again demonstrate to the Commission that it has maintained parity with the protections offered within the EU.

The European Commissioner for data protection also warned that that the decision would be withdrawn "immediately" if the EC had concerns about the UK's direction of travel.

The other potential hiccup to look out for on the horizon is a legal challenge, similar to the one which resulted in the Schrems II ruling (reported here), which could see the decision successfully overruled in the ECJ.