Regulatory and Industry News Alerts from Armanino

Data Transfers: UK Granted Adequacy Status by the European Commission

by Mirena Taskova, Pippa Akem
July 08, 2021

The European Commission declared on June 28, 2021, that the U.K. ensures an adequate level of protection of personal data and has adopted two adequacy decisions for the United Kingdom, which permit personal data to flow freely from the EU to the U.K. One of the decisions covers the EU General Data Protection Regulation (GDPR) and the other one covers the EU Data Protection Directive with Respect to Law Enforcement.

Adequacy Criteria

Under the EU GDPR, personal data transfers from the EU to a third country (e.g., the U.S.) may take place if certain conditions are met. For example:

  • The controller/processor has provided appropriate safeguards for protection of the personal data (e.g., Standard Contractual Clauses).
  • The European Commission has decided that the third country (e.g., the U.K. after Brexit) ensures an adequate level of protection.

What Does the Decision Mean?

On June 28,2021 the European Commission decided that the U.K. ensures an adequate level of protection of personal data, which means that personal data can flow freely from the European Union to the U.K.

The Vice President for Values and Transparency Věra Jourová said, “the UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today.” The European Commission’s ruling creates the opening for decision makers on both sides to arrive at a plan that is able to fully support the proper implementation of the EU-UK Trade and Cooperation Agreement and support the exchange of personal information.

Implications Going Forward

For the first time, the adequacy decision has an expiration date. The U.K.’s status isn’t permanent, as both decisions are set to sunset within four years after they enter into force (sunset clause). If the European Commission decides to renew the adequacy status, the adoption process will start again. The European Commission has indicated that it will continue to monitor the situation in the U.K. over the next four years, and it could intervene if the U.K. deviates from its current level of personal data protection. Věra Jourová said, “we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK's privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.”

Another notable development from today’s decision is that transfers for the purposes of U.K. immigration control are not within the scope of the GDPR. This aligns with a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. This is still a developing situation for the U.K. court, and the European Commission has left the door open to revisit its approach when the situation becomes a bit clearer.

For more information on how the European Commission’s decision could affect your organization, reach out to one of our privacy experts.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Mirena Taskova - Managing Director, Privacy & Cybersecurity - San Jose CA | Armanino
Managing Director, Head of Privacy and Cybersecurity
Related News and Insights
Top Risks Organizations Will Face in 2022
Understand ESG, data privacy and other key risk areas and how to avoid them.

March 29, 2022 | 11:00 AM - 12:00 PM PT
Impact of the California Privacy Rights Act on Your Organization
How will the California Privacy Rights Act (CPRA) affect your organization and the way it uses artificial intelligence?

February 23, 2022 | 10:00 AM - 11:00 AM PT
6 Microsoft SSPA Compliance Considerations for Third-Party Service Providers
To avoid lost deals, businesses providing services to Microsoft suppliers need to follow Microsoft’s data privacy rules.

November 23, 2021