On February 19, 2021, the European Commission published a draft decision finding that UK law provides an adequate level of protection for EU residents’ data. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction. They also will not need to implement data transfer mechanisms, such as the EU Standard Contractual Clauses, to comply with the requirements of the GDPR.
The draft decision comes after a year of review by the European Commission, which concluded that the UK’s legal and regulatory data protection regime meets EU data protection adequacy requirements.
It also provides for automatic review of the UK legal regime within four years. If the European Commission does not re-affirm the adequacy of the UK at that time, the UK will no longer be considered adequate.
The decision will undergo further review before it is formally adopted. The European Data Protection Board and the European Parliament’s Committee on Civil Liberties will issue a non-binding opinion in relation to the decision. The decision will be formally adopted after it has been approved by the EU Member States acting through the European Council.
The UK government welcomed the decision in a statement issued by the Department for Digital, Culture, Media & Sport.
Companies transferring data out of China for processing should be aware of new guidance issues on June 26 by China’s National Information Security Standardization Technical Committee - the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information.