Adequacy Decision of the European Commission on UK Data Protection Law.
The European Commission decided on the future of UK data protection law on the 28th June 2021, answering the significant question that has remained post-Brexit as to how digital information will flow between the UK and Europe. The Commission has permitted UK access to EU data.
What does the European Commission's adequacy decision mean?
In its decision, the European Commission deemed that the UK’s data protection laws offer “adequate” protection of personal data. The Commission was of the view that the UK had incorporated the majority of the EU GDPR and Law Enforcement Directive into the Data Protection Act 2018 and that the ‘UK GDPR’, created by the 2019 Data Protection Regulations, was therefore adequate. The UK has reciprocally deemed the EU and EEA data policy as “adequate”.
What is the impact of the adequacy decision?
The decision is crucial in ensuring the seamless transfer of data between the UK and the EU in a post-Brexit world and has prevented the need for costly and time-consuming data sharing infrastructures to be devised had the UK’s policy been considered inadequate. Due to this, UK businesses can carry on receiving personal data- which is crucial for trade, innovation, investment and services- without having to take extra precautions or diverge from UK data protection policies when dealing with EU-related data points.
What would have happened had the decision been inadequate?
Had the UK GDPR been viewed as ‘inadequate’, personal data transfers between EU Member States and the UK would be governed by stringent rules that require the sender of data to verify that they have implemented “appropriate safeguards”. Parties to such data transfers would have to incorporate data protection clauses into their contracts, including costly and time-consuming data protection impact assessments (DPIA).
Curious about automated data extraction from documents?
Is the Commission's adequacy decision decisive?
The Commission’s “adequacy” decision is by no means conclusive. Its decision only remains in effect for four years and will then be reviewed under a unique sunset clause. The sunset clause limits the duration of the adequacy to four years and after which point, the decision will expire automatically. The inclusion of this sunset clause is a first in the Commission’s adequacy decisions and it has made explicit that if it sees a lapse in the standards of protection it will intervene immediately. After four years, the Commission can decide whether or not to renew its decision whereby the adoption process would restart.
As mentioned above, the decision means that DPIAs do not need to be carried out to permit the transfer of data between the UK and EU Member States. For businesses that hire and operate across Europe this means that they do not need to adopt complex data protection policies for their staff and clients in EU Member States.
How does the adequacy decision impact letting agents?
For letting agents, whilst Brexit has meant changes to the Right to Rent checks for citizens from the European Economic Area, the Commission’s adequacy decision is welcomed as it means that letting agents can continue to operate their data policies in the same way as before. For more information, read our article on the obligations the UK GDPR imposes on letting agents.
Legislate keeps ahead of these legal changes so you don’t have to. Our suite of lawyer-approved contracts put the confidence back into contracting. You can view a full list of our contracts.
To start Legislating today, book a demo with a member of our team or sign up!
The opinions on this page are for general information purposes only and do not constitute legal advice on which you should rely.