Today, 28 June 2021, the European Commission formally adopted two adequacy decisions with respect of transferring personal data from the European Economic Area (the "EEA") to the United Kingdom (the "UK"): one under the EU General Data Protection Regulation and one under the EU Law Enforcement Directive. The two decisions come into force immediately.
Until the end of June 2021, organisations are allowed to freely transfer personal data from the EEA to the UK under the six-month "bridging period" agreed in the EU-UK Trade and Cooperation Agreement. However, the adoption of the two adequacy decisions now means that businesses can continue to freely transfer personal data from the EEA to the UK without having to implement any additional safeguards, such as entering into the new EU standard contractual clauses and carrying out local assessments for transfers to the UK.
Transfers for the purposes of UK immigration control are excluded from the scope of the GDPR adequacy decision. The European Commission stated it would reassess the need for this exclusion following developments in UK law.
Transfers of personal data from the UK to the EEA have been allowed under UK adequacy regulations.
Temporary solution for EEA to UK data transfers
Both decisions have a four-year sunset clause which limits their duration until 27 June 2025. The inclusion of the sunset clause was endorsed by the European Data Protection Board in its opinions on the draft adequacy decisions. This means that the European Commission has to re-assess the UK data protection regime in four years' time and, in particular, any divergences between the UK General Data Protection Regulation and the EU General Data Protection Regulation (for example, in relation to onward transfer of personal data to third countries or access to personal data by public authorities), if the adequacy decisions are to be renewed.
Moreover, under the two adequacy decisions, the European Commission is required to monitor on an ongoing basis the data protection regime in the UK and can withdraw the adequacy decisions before the four-year period, if the UK regime no longer ensures an essentially equivalent data protection as required under EU law.
While the adoption of the two adequacy decisions gives businesses that transfer personal data from the EEA to the UK some welcome certainty, it is possible that the adequacy decisions will be challenged in EU courts and/or that the European Commission will decide not to renew the adequacy decisions in four years' time, or even to withdraw the adequacy decisions before the end of the four-year period, if there is a major divergence between the UK and EU data protection regimes.