Businesses will have been relieved yesterday to read that the European Commission (EC) adopted adequacy decisions for the UK under the GDPR and the Law Enforcement Directive (both accessible here). The UK's adequacy decisions means UK businesses and organisations can continue to receive personal data from the EU without having to put additional arrangements in place with European counterparts.
By way of reminder, an adequacy decision is a determination by the EC that a non-EU country (or sector within a non-EU country) offers an adequate level of data protection and therefore that personal data can be shared with it. Where an adequacy decision is made, personal data can be freely transferred from the EU to that jurisdiction without the need for additional mechanisms to facilitate the transfer (such as further safeguards or authorisation from a national supervisory authority). Only a few weeks ago, and with the end of the bridging period for the EU-UK Trade and Cooperation Agreement fast approaching, there were concerns that such decisions might not be forthcoming. See the article written by Mona Patel (Partner) and me here.
Mindful of the possible divergence of data protection rules post-Brexit, both decisions include a 'sunset clause' which means they will automatically expire on 27 June 2025 and will only be renewed if the UK continues to ensure an adequate level of data protection. In the interim, the EC will continue to monitor the legal situation in the UK and could amend/revoke the adequacy decisions at any point if the UK deviates from the level of protection currently in place.
Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.