On February 19, 2021, the European Commission published a draft decision finding that UK law provides an adequate level of protection for EU residents’ data. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction. They also will not need to implement data transfer mechanisms, such as the EU Standard Contractual Clauses, to comply with the requirements of the GDPR.
The draft decision comes after a year of review by the European Commission, which concluded that the UK’s legal and regulatory data protection regime meets EU data protection adequacy requirements.
It also provides for automatic review of the UK legal regime within four years. If the European Commission does not re-affirm the adequacy of the UK at that time, the UK will no longer be considered adequate.
The decision will undergo further review before it is formally adopted. The European Data Protection Board and the European Parliament’s Committee on Civil Liberties will issue a non-binding opinion in relation to the decision. The decision will be formally adopted after it has been approved by the EU Member States acting through the European Council.
The UK government welcomed the decision in a statement issued by the Department for Digital, Culture, Media & Sport.
Clearview AI has been investigated and sanctioned by a number of different EU data protection authorities. However, Italy’s recent sanction stood out as it also sanctioned Clearview for failure to appoint an Article 27 Representative.