EU-UK Adequacy Decision

On 25 June 2021 the European Commission adopted two Adequacy Decisions for the UK - one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive.

An Adequacy Decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does. Personal data can now flow freely from the EU to the UK where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. The Adequacy Decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement of 30 December 2020 , which foresaw the exchange of personal information, for example for cooperation on judicial matters.

Both Adequacy Decisions include strong safeguards in case of future divergence, such as a ‘sunset clause’, which limits the duration of adequacy. The European Commission will start work later in 2024 to decide whether to extend the Adequacy Decisions for the UK for a further period up to a maximum of another four years. If they don’t extend the decisions, then they will expire on 27 June 2025.

The UK’s data protection system continues to be based on the same rules that were applicable when the UK was an EU Member State. The EU accepts that the UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into our postBrexit legal system.

With respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards. In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to what it intends to achieve.

EU-USA Adequacy Decision

On 10 July 2023, the European Commission adopted its Adequacy Decision for the EU-US Data Privacy Framework (DPF). The Decision concluded that the USA does now ensure an adequate level of protection for transferring personal data from the EU to the USA and supersedes the ECJ’s decisions in Schrems which invalidated then prior frameworks for EU-to-US cross-border data transfers

The DPF creates a lawful transatlantic framework that allows the free flow of data from the EU to DPF-certified companies located in the USA. It will no longer be necessary for these transferring entities to implement additional safeguards (e.g., binding corporate rules, the European Commission’s standard contractual clauses, industry-specific codes of conduct or EU certification mechanisms) to ensure that personal data continues to be protected under the EU’s General Data Protection Regulation.

Northamptonshire Law Society Officers & Council Members 2022