The European Union (EU) has adopted two adequacy decisions for the United Kingdom (UK); firstly, under GDPR and the second for the Law Enforcement Directive.

As a result, the flow of personal data between the UK and the EU will continue with no deviation or restriction.  The EU has concluded that the UK ensures an adequate level of data protection.

Věra Jourová, Vice-President for Values and Transparency, said: “The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today.” 

 The main reasons for this agreement are based upon:

• The UK’s data protection systems continuation to be based on the same rules applicable when the UK was an EU member state with full incorporation of the rights, principles and obligations of GDPR and the Law Enforcement Directive into the post-Brexit legal system
• Mutual access to personal data by public bodies for the interest of national security and the UK’s continued provision for strong safeguards.
• A ‘sunset clause’ has been included within the adequacy decisions. The adequacy decisions will expire in four years however may be extended as long as the EU feel that the UK continues to ensure an adequate level of data protection

The EU-UK Trade and Cooperation Agreement (TCA) includes commitments by both parties to ensure high levels of data protection standards.  It also includes a provision to ensure data transfers to adhere to the TCA must comply with both GDPR and the Law Enforcement Directive.

More information on the Adequate Decisions may be found here:

•  ICO statement in response to the EU Commission’s announcement on the approval of the UK’s adequacy – click here.
•  Data protection: Commission adopts adequacy decisions for the UK – click here.