The European privacy family & UK: towards an adequate level of personal data protection

The first step for the adoption of the adequacy decisions for transfers of personal data from the EU to the United Kingdom has been taken: the European Commission has published two draft decisions, one under the General Data Protection Regulation (GDPR) and the second one under the Law Enforcement Directive (LED).

The European Commission has thoughtfully assessed the UK’s law and practice on personal data protection and concluded that the level of protection guaranteed in the UK is fundamentally equivalent to that of the EU, ensured under both the GDPR and the LED.

What steps should be taken next?

After obtaining an opinion from the European Data Protection Board, the European  Commission will call for the approval of Member States’ representatives in the commonly named comitology procedure. Subsequent to this procedure, the Commission will adopt the two adequacy decisions.

The adopted decisions would be valid for an initial period of four years. The renewal of the adequacy finding would be possible provided that the level of protection in the UK remains adequate.

Article 45(3) of the GDPR and Article 36(3) of the LED lay the basis for the adopted approach, empowering the Commission to decide that a non-EU country guarantees an ‘adequate level of protection’ i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. Therefore, if a non-EU country is assessed as adequate and, accordingly, its level of protection is essentially equivalent to that of the EU, transfers of personal data can be performed without further conditions.

Since the UK  is no longer committed to the European privacy legislation, while remaining a party of? the binding Convention 108, the future proof of the adequacy decisions becomes vital. Quoting the Commissioner for Justice Reynders’ words (2021), “EU citizens’ fundamental right to data protection must never be compromised when personal data travel across the Channel. The adequacy decisions, once adopted, would ensure just that”.

Finally, the European Commission (2021) recalled that “Data flows in the other direction – from the UK to the EU – are regulated by UK legislation, which applies since 1 January 2021. The UK decided that the EU ensures an adequate level of protection and that therefore data can flow freely from the UK to the EU”.


Leyre Carrasco Alonso – Regulatory Affairs Department

Would you like to know more? Contact us today!

Get in touch


Share This

Copy Link to Clipboard