On February 19, 2021, the European Commission published a draft decision finding that UK law provides an adequate level of protection for EU residents’ data. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction. They also will not need to implement data transfer mechanisms, such as the EU Standard Contractual Clauses, to comply with the requirements of the GDPR.
The draft decision comes after a year of review by the European Commission, which concluded that the UK’s legal and regulatory data protection regime meets EU data protection adequacy requirements.
It also provides for automatic review of the UK legal regime within four years. If the European Commission does not re-affirm the adequacy of the UK at that time, the UK will no longer be considered adequate.
The decision will undergo further review before it is formally adopted. The European Data Protection Board and the European Parliament’s Committee on Civil Liberties will issue a non-binding opinion in relation to the decision. The decision will be formally adopted after it has been approved by the EU Member States acting through the European Council.
The UK government welcomed the decision in a statement issued by the Department for Digital, Culture, Media & Sport.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.