In February we reported that the European Commission (the “Commission”) had published a draft adequacy decision recognizing the UK’s high standards of data protection (click here).  On Monday, June 28 2021, the Commission announced that it has adopted final adequacy decisions for the UK, one under the GDPR and the other for the Law Enforcement Directive (press release here). The Commission highlighted that one of the decisive factors behind the decisions was that the UK’s data protection regime continues to be based on the same rules as were applicable when the UK was a Member State of the EU, and the UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.

The decisions mean that organisations do not need to rely on data transfer mechanisms such as EU Standard Contractual Clauses when transferring personal data from the EU to the UK.  Personal data can continue to flow freely between the regions on the basis that the UK has an essentially equivalent level of protection to that guaranteed under EU law.

In its press release the Commission noted that UK immigration control related transfers are excluded from the scope of the GDPR adequacy decision to reflect a recent judgment in The Open Rights Group & Anor, R (On the Application Of) v The Secretary of State for the Home Department & Anor [2021] EWCA Civ 800. The Commission stated that it will reassess the need for this exclusion once the situation has been remedied under UK law.

How long the UK will benefit from the adequacy decisions is another question. For the first time, the adequacy decisions include a so-called ‘sunset clause’, which strictly limits their duration. The sunset clause provides that the decisions will automatically expire four years after their entry into force. This will give the UK government something to consider if and when it proposes any changes to the UK GDPR. In a report released earlier this month (Click here), The Task Force on Innovation, Growth and Regulatory Reform, chaired by Conservative former leader Sir Iain Duncan Smith, proposed replacing the UK GDPR with a new, more proportionate, UK framework of citizen data rights: a common law approach that would allow case law to adapt to new technologies such as artificial intelligence and blockchain.  How the Commission would react to this sort of change to the UK GDPR is anyone’s guess, but the Commission has made it clear that they could intervene at any point if the UK deviates from the level of protection currently in place.