UK GDPR adequacy recognition approved by Brussels

Last week, the national governmental policy experts of each EU Member State unanimously voted in favour of a draft EU Commission decision which would finally recognise the UK as ‘adequate’ under the GDPR, meaning the EU will deem the UK’s privacy laws to be as protective of individuals’ privacy as the rules that apply within the EEA. Importantly, this would mean there will be no disruptions to EU – UK transfers of personal data, which is good news for businesses, who were increasingly bracing for the worst.

It has previously been an open question whether the EU would adopt an adequacy decision for the UK, with a real threat that no such approval would be forthcoming and, instead, businesses would be faced with having to adapt to a more restrictive regime, with additional administrative safeguards on the transfer of personal data and lengthier legal documentation. In particular, in February 2021 the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs issued a non-binding Opinion that the UK should not be granted an adequacy decision for several reasons, including perceived concerns surrounding national security.

Under the current Brexit trade deal between the UK and EU, the EU had agreed to temporarily allow flows of personal data from the EU to the UK to continue on the same basis as if the UK were still an EU Member State under a so-called “bridging mechanism”.

However, this “bridging mechanism” is set to expire on 30 June 2021, meaning that an adequacy decision is essential to continuing the current regime without disruption.

Now, Member States’ experts have approved the draft GDPR adequacy decision, and on 28 June 2021, the EU Commission adopted the decision just before the deadline of 30 June 2021.

If you need legal advice about GDPR, please do contact our data protection specialists.

This article was first published on 25 June 2021 and updated on 29 June 2021.