Data Transfers from the EU to the UK; We’re Adequate… for now

Updating our previous article regarding ‘EU to UK Personal Data Transfers Post the BREXIT Transition Period’, the European Commission finally issued their formal decision on 28 June 2021, to adopt two adequacy decisions for the UK[1]. One related to the Law Enforcement Directive and the other, more important for organisations transferring the personal data of EU data subjects from the EU to the UK, related to EU GDPR.

This means that the personal data of EU data subjects can flow freely from the EU to UK data processors and controllers unhindered, save for any necessary Data Processing Agreements, without the need for additional legal mechanisms such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). Those transfers of personal data from the EU to the UK which are classed as ‘necessary’ remain out of scope.

This decision was welcomed by the UK Data Protection Regulator in a statement issued on the same date where the Information Commissioner said,

“This is a positive result for UK businesses and organisations. Approved adequacy means that businesses can continue to receive data from the EU without having to make any changes to their data protection practices. Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently. The result is also a testament to the strength of the UK’s data protection regime.”

That final sentence may be called into question in the not-too-distant future as for one, in a series of recommendations by the ‘Taskforce on Innovation, Growth and Regulatory Reform’[2] submitted to the UK Government, the Taskforce calls to ‘replace the UK GDPR 2018 with a new, more proportionate, UK Framework of Citizen Data Rights’ as they see ‘value’ in peoples’ personal data, and two, in the statement by the EU Commission, there is reference to the ‘sunset clause’ limiting the duration of Adequacy decisions to automatically expire four year after they came into force.

If the UK Government introduces an updated ‘UK Framework of Citizen Data Rights’, this will likely diverge UK legislation from the EU Data Protection Framework. If the UK diverges earlier than four years, then the EU Commission can choose to revisit the Adequacy decision at this point.

It should be noted that the UK is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is the only binding international treaty in the area of data protection. These international commitments are essential elements of the legal framework assessed in the two adequacy decisions.

The future still looks full of change.

[1] European Commission | Europa Publications, Commission adopts adequacy decisions for the UK (europa.eu), [accessed 28 June 2021]

[2] UK Government Publishing Service | Taskforce on Innovation, Growth and Regulatory Reform, FINAL_TIGRR_REPORT__1_.pdf (publishing.service.gov.uk), [accessed 05 June 2021]