On February 19, 2021, the European Commission adopted a draft ‘adequacy decision’ in favor of the UK. The adoption of the draft adequacy decision marks the first step in ensuring the continued free flow of personal data from EEA countries to the UK under the EU GDPR.
Once (and if) the final adequacy decision is adopted, companies in the EEA can (continue to) transfer personal data to data recipients the UK without putting in place additional compliance measures – such as the Standard Contractual Clauses (‘SCCs’) or Binding Corporate Rules (‘BCRs’).
Before the adequacy decision can ultimately be adopted, the process involves:
• The European Data Protection Board (‘EDPB’) issuing an opinion on the draft decision (the EDPB is the body through which the EU Member States’ data protection authorities coordinate their guidance and other work); and
• An approval from representatives of the EU Member States.
The free flow of personal data from the EEA to the UK is currently guaranteed on an interim basis by the ‘Bridging Mechanism’/ ‘Extended Free Flow Period’, which was agreed last year in the context of the EU-UK Trade and Cooperation Agreement. The Bridging Mechanism is designed to last in principle until 30 June 2021 – or until an adequacy decision is adopted. This appears to suggest a level of confidence on the part of the EU and the UK that the final adequacy decision will be adopted before 30 June this year.
The draft decision can be viewed here. At the same time, the European Commission adopted a separate draft adequacy decision with respect to the EU’s Law Enforcement Directive, which deals with the processing of personal data for law enforcement purposes.
