The European Commission adopted on 28 June 2021 two decisions finding an adequate level of protection for personal data in the United Kingdom of Great Britain and Northern Ireland. Personal data can now, based on these decisions, continue to flow freely from the European Union (EU) to the UK, enjoying there a level of protection equivalent to that guaranteed by EU law.
Despite leaving the European Union, the UK’s data protection regime currently remains unchanged from the time of membership. Therefore, after a thorough analysis of UK law and practice, the Commission has concluded that the UK provides an adequate level of protection for data transferred from the EU.
However, the concern about whether the UK will move away from the current standard of personal data protection in the future remains valid. The Commission’s adequacy decisions respond to these concerns by building in legal safeguards in case of divergences in the UK data protection regime arise. For the first time, adequacy decisions contain a so-called “sunset clause” which strictly limits their duration to four years. After this period, adequacy determinations can be renewed, but only if the UK continues to provide an adequate level of data protection.
The UK, at the end of the transition period (i.e. 31 December 2020) under the European Union (Withdrawal) Act 2018, incorporated the vast majority of EU law into its domestic legal order, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (as part of so-called retained EU law). Retained European law is a set of rules linked to the European Union, and its creation was intended, among other things, to provide legal stability in the face of the UK’s withdrawal from the EU. The current data protection regime in the UK consists of the regulations contained in Regulation 2016/679, incorporated in its entirety into the UK legal system, and the Data Protection Act 2018. Both documents were amended in connection with the UK’s withdrawal from the European Union essentially only on technical issues (such as removing references to “Member State” and adjusting terminology).
Author: Magdalena Frąckowiak – an attorney at LSW law firm. She specialises in issues of business law, and international business law, transactional advisory and financing and collateral matters.