The free flow of data between the EU and the UK is now guaranteed
Following Brexit, the United Kingdom became a third country under the General Data Protection Regulation (GDPR). As a result, transfers of personal data from the EU to the UK are allowed only if the level of data protection in the UK is equivalent to that of the EU.
On 28 June 2021 the European Commission adopted an adequacy decision for the UK thus confirming the adequate level of data protection in the UK. The UK’s data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. The UK has fully incorporated the principles, rights and obligations of the GDPR into its post-Brexit legal system. The decision comes at the very last minute since the transition period for EU citizens and their families to remain in the UK after it leaves the EU expired on 30 June 2021.
As a result, the flow of data will not be affected and the free flow of data with the UK will continue unrestricted for the time being. Data transfers for UK immigration control are excluded from the material scope of the adequacy decision due to a recent decision by the Court of Appeal of England and Wales on the validity and interpretation of certain restrictions of data protection rights in this area.
The adequacy decision includes a so-called ‘sunset clause’, which strictly limits its duration. This means that the decision will automatically expire four years after its entry into force, i.e. on 27 June 2025. Renewal is only possible if the UK continues to ensure an adequate level of data protection. But even during these four years, the EU Commission may intervene at any time if the level of data protection in the UK deviates from the level of protection currently in place, i.e. the Commission may suspend, repeal or amend the adequacy decision. If, after the four years, the Commission decides to renew the adequacy decision, the adoption process would start again.
For more information, please refer to: