Commission adopts adequacy decisions for the United Kingdom

The European Commission, having assessed carefully over the passing months the consequences occurring after Brexit on the 28th of June 2021, has enforced two implementing Decisions:

  1. pursuant to the Regulation (EU) 2016/679 (GDPR) on the adequate protection of personal data by the United Kingdom, and
  2. pursuant to Directive (EU) 2016/680 (Law Enforcement Directive) on the adequate protection of personal data by the United Kingdom.

These decision-mechanisms mark the commencement of free movement and flow of personal data between the European Union and the United Kingdom as the latter now enjoys an equivalent level of protection under the EU Law. Therefore, UK enterprises and organizations can now benefit from  unrestricted personal data transfer.

Decision pursuant to (EU) 2016/679 (GDPR):

For the purposes of Article 45 of Regulation (EU) 2016/679, the United Kingdom ensures an adequate level of protection for the personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom.

Decision pursuant to (EU) 2016/680 (Law Enforcement Directive):

The United Kingdom ensures an adequate level of protection within the meaning of Article 36(2) of Directive (EU) 2016/680, interpreted in view of the Charter of Fundamental Rights based on both the relevant United Kingdom domestic regime and its international commitments, in particular adherence to the European Convention of Human Rights and, submission to the jurisdiction of the European Court of Human Rights. Continued adherence to such international obligations is therefore a particularly important element of the assessment on which this Decision is based.

Duration and Renewal of the Decisions:

The Commission makes allowances for the end of the transition period provided by the Withdrawal Agreement and as soon as the interim provision under Article 782 of the EU-UK Trade and Cooperation Agreement will cease to apply, the United Kingdom will administer, apply and enforce a new data protection regime, comparable to the one in place when it was bound by EU law.

This may notably involve amendments or changes to the data protection framework assessed in the Decisions, as well as other relevant developments.

It is therefore appropriate to emphasize that both Decisions will apply for a period of four years as of their entry into force.

For more information for the implementing decisions, you may address the following links:

Elias Neocleous & Co LLC., has an extensive Data, Privacy and Cybersecurity Department which would be pleased to assist you in managing this change.  For more information, please speak with a member of our Data, Privacy and Cybersecurity Department at [email protected] and/or reach out to your usual contact at Elias Neocleous & Co LLC.