On 28 June, the European Commission adopted two UK data adequacy decisions (one under the General Data Protection Regulation, GDPR, and another under the Law Enforcement Directive, LED). This means that data flows between the EU and the UK can continue without the need to adopt additional safeguards.  

The decisions include, for the first time, a ‘sunset clause’ which limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, they can be renewed subject to the UK continuing to ensure the adequate level of data protection and to a relevant assessment by the European Commission. During the four years, the Commission will continue to monitor the legislative developments in the UK. 

Transfers for the purposes of immigration control are excluded from the scope of the decision adopted under the GDPR to reflect the recent judgment from the Court of Appeal of England and Wales on the validity of the interpretation of certain restrictions in that area. The Commission will reassess this exclusion once it is remedied under UK law. 

The adoption of the decisions came right before the expiry date of the bridging mechanism for transfers of personal data under the EU-UK Trade and Cooperation Agreement (TCA). The mechanism allowed for seamless data flows between the EE and the UK until 30 June 2021.

More information:

ICO statement: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/06/ico-statement-in-response-to-the-eu-commission-s-announcement-on-the-approval-of-the-uk-s-adequacy/

Statement of the UK Government: https://www.gov.uk/government/news/eu-adopts-adequacy-decisions-allowing-data-to-continue-flowing-freely-to-the-uk