20221101_bpe_teams_1184_wide

News & Events

;
Insight

European Commission decision is the first step to UK gaining adequate data protection status

After months of discussions, on Friday 19 February the European Commission announced a step towards approving continued free flow of data between the EU and the UK. For the full press release, click here.

The European Commission has announced that it is planning to grant the UK two adequacy decisions, one under the GDPR and the other for the Law Enforcement Directive (LED).

What is the adequacy decision?

The draft data adequacy decisions, put simply, mean that the European Commission recognises that the UK’s post-Brexit data protection standards (which are now known as the ‘UK GDPR’) offer essentially equivalent protections to those granted under the EU’s GDPR and, for the first time, under the LED. There has never been an issue with regards to data-sharing from the UK into the EU, as the UK recognised the EU as a ‘safe harbour’ for receipt of data transfers from the outset. However, this new decision will enable UK and EU businesses to continue sharing data in both directions while adhering to largely shared data protection laws.

Finalising the decision is expected to take several months as discussions with the European Data Protection Board are required before the UK formally receives ‘adequate’ status.

What is the significance of the adequacy decision?

Giving the UK adequacy status makes transferring personal data between the EU and the UK easier. In a post-Brexit world this is a positive step for UK businesses as it strengthens trade confidence and innovation as well as facilitating health and scientific research (which is particularly pertinent now). It will also provide significant benefits for organisations with offices, branches or operations in both the UK and the EU.

Being able to transfer personal or sensitive data from the EU to the UK without safeguards beyond those already in place will save UK businesses extra paperwork and the requirement for further risk and impact assessments.

The UK will join countries including Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay who have already achieved ‘adequate’ status.

What do you need to do now?

As explained, it will take several months for the decision to be finalised but given the expected ‘adequate’ status, UK businesses can continue to transfer data to and from the EU providing that it is compliant with existing data protection regulations.

As the UK will no longer be bound by EU privacy rules, the EU’s decisions will only be valid for an initial period of four years from when the draft decisions are finally adopted. After four years, it will be possible for the EU to renew the adequacy finding if the UK’s provisions remain ‘equivalent’.

 

These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.

Related articles

  • Contracts in a digital age

    David Ashcroft, who recently joined BPE Solicitors as Partner, discusses what is needed to enter...

    View

  • Breaking: Uber drivers are workers rules Supreme Court

    The UK Supreme Court has confirmed that Uber drivers are workers, entitled to national minimum wa...

    View

  • Can employers enforce post-termination restrictions against employees who leave during their probationary period?

    In this article, Will Carter analyses the recent High Court decision in Quilter Private Client Ad...

    View

Get in touch

Talk to us about your legal challenges and discover how our expert, pragmatic legal advice and broad commercial acumen can help.

Cookies

To provide a personalised and responsive service, we use cookies. Please click here to access our Cookie Policy to understand what cookies we set and what they do.

Manage Tracking

Please select and accept your tracking preferences: