Regulatory and Industry News Alerts from Armanino

Data Transfers: UK Granted Adequacy Status by the European Commission

by Mirena Taskova, Pippa Akem
July 08, 2021

The European Commission declared on June 28, 2021, that the U.K. ensures an adequate level of protection of personal data and has adopted two adequacy decisions for the United Kingdom, which permit personal data to flow freely from the EU to the U.K. One of the decisions covers the EU General Data Protection Regulation (GDPR) and the other one covers the EU Data Protection Directive with Respect to Law Enforcement.

Adequacy Criteria

Under the EU GDPR, personal data transfers from the EU to a third country (e.g., the U.S.) may take place if certain conditions are met. For example:

  • The controller/processor has provided appropriate safeguards for protection of the personal data (e.g., Standard Contractual Clauses).
  • The European Commission has decided that the third country (e.g., the U.K. after Brexit) ensures an adequate level of protection.

What Does the Decision Mean?

On June 28,2021 the European Commission decided that the U.K. ensures an adequate level of protection of personal data, which means that personal data can flow freely from the European Union to the U.K.

The Vice President for Values and Transparency Věra Jourová said, “the UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today.” The European Commission’s ruling creates the opening for decision makers on both sides to arrive at a plan that is able to fully support the proper implementation of the EU-UK Trade and Cooperation Agreement and support the exchange of personal information.

Implications Going Forward

For the first time, the adequacy decision has an expiration date. The U.K.’s status isn’t permanent, as both decisions are set to sunset within four years after they enter into force (sunset clause). If the European Commission decides to renew the adequacy status, the adoption process will start again. The European Commission has indicated that it will continue to monitor the situation in the U.K. over the next four years, and it could intervene if the U.K. deviates from its current level of personal data protection. Věra Jourová said, “we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK's privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.”

Another notable development from today’s decision is that transfers for the purposes of U.K. immigration control are not within the scope of the GDPR. This aligns with a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. This is still a developing situation for the U.K. court, and the European Commission has left the door open to revisit its approach when the situation becomes a bit clearer.

For more information on how the European Commission’s decision could affect your organization, reach out to one of our privacy experts.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Mirena Taskova - Managing Director, Privacy & Cybersecurity - San Jose CA | Armanino
Managing Director, Head of Privacy and Cybersecurity
Related News and Insights
Regulatory and Industry News Alerts from Armanino
Colorado follows California and Virginia steps in privacy, and passes a new privacy law.

July 08, 2021
How to Start Building a Secure Data Privacy Program
Aligning to a framework, such as Microsoft’s SSPA, can help you protect internal and customer data.

June 29, 2021
Regulatory and Industry News Alerts from Armanino
 New rules for data transfers from controllers or processors in the EU/EEA to those outside the EU/EEA.

June 22, 2021