On June 28, 2021, the European Union (“EU”) Commission (“European Commission”) adopted two adequacy decisions for cross-border data transfers from EU and EEA member states to the United Kingdom (UK) – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. The European Commission found that the UK’s implementation of GDPR-based data protection principles satisfied the Commission’s requirements to ensure an adequate level of protection for European/EEA personal data that is transferred to the UK. The decisions include a sunset clause, which runs out after four years, but will be renewed if the UK continues to ensure an adequate level of data protection.
The UK previously recognized the EU and EEA member states as “adequate.” With these European Commission adequacy decisions, personal data can continue to flow freely between EU/EEA member states and the UK, without data controllers and processors being required to implement personal data transfer mechanisms, such as Standard Contractual Clauses or Binding Corporate Rules.
Will Davis, a law clerk with Fey LLC and a law student at the University of Florida-Levin College of Law, contributed to this post.