An eye on the UK – is it good enough to be “adequate”?

Anyone with a passing interest in data protection compliance, or anyone who works in an organisation that receives / uses personal data from outside the UK, could not have failed to breathe a little sigh of relief when news came last week that the European Commission had issued an “adequacy decision” for the UK under the EU GDPR. But what does this really mean?

Very simply put, under the EU GDPR, organisations that are subject to the EU GDPR have to meet strict criteria when sending personal data outside the EU. International transfers of personal data are easier to deal with from an EU GDPR compliance perspective if the country that you are sending personal data to has an “adequacy decision”. An adequacy decision is essentially a decision of the European Commission that the country in question has equivalent levels of protection regarding personal data to those under EU law and it enables the flow of personal data without any “additional” safety measures needing to be put in place – it is worth mentioning that the data transfer still has to comply with all the other provisions of the EU GDPR, so care still has to be taken!

So why is this important? From an EU perspective, as a result of the UK leaving the EU, for personal data to continue to be sent to the UK either the European Commission had to adopt an adequacy decision regarding the UK, or organisations would need to see whether there were any other ways of lawfully sending personal data to the UK, such as the use of standard contractual clauses for example. On 28 June 2021 the European Commission issued a press release saying that the European Commission had adopted adequacy decisions for the UK. So we’re all good, right?

As always, the devil is in the detail and it is worth noting that the decision contains a “sunset clause” which essentially means the decision will automatically come to an end in 4 years’ time. Whether the adequacy decision would be renewed would depend on what the UK legal framework looks like at that point in time. There is also the potential for the European Commission to intervene should the UK change its laws in a way that the European Commission does not consider to be appropriate. In other words, the UK has a reprieve and how temporary or otherwise that may be remains to be seen. So is it good enough to be “adequate”? For now, maybe.

If you would like any assistance with your data protection compliance please don’t hesitate to get in contact with the team on 01633 413500.

Note – the contents of this article is not intended to be legal advice and neither RDP Law Limited, nor the writer, accepts any liability for any reliance you may place on the same.