• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

European Commission Adopts Draft UK Adequacy Decision

February 23, 2021 By Paul Greaves and Wim Nauwelaerts

On February 19, 2021, the European Commission adopted a draft ‘adequacy decision’ in favor of the UK. The adoption of the draft adequacy decision marks the first step in ensuring the continued free flow of personal data from EEA countries to the UK under the EU GDPR.

Once (and if) the final adequacy decision is adopted, companies in the EEA can (continue to) transfer personal data to data recipients the UK without putting in place additional compliance measures – such as the Standard Contractual Clauses (‘SCCs’) or Binding Corporate Rules (‘BCRs’).

Before the adequacy decision can ultimately be adopted, the process involves:

• The European Data Protection Board (‘EDPB’) issuing an opinion on the draft decision (the EDPB is the body through which the EU Member States’ data protection authorities coordinate their guidance and other work); and
• An approval from representatives of the EU Member States.

The free flow of personal data from the EEA to the UK is currently guaranteed on an interim basis by the ‘Bridging Mechanism’/ ‘Extended Free Flow Period’, which was agreed last year in the context of the EU-UK Trade and Cooperation Agreement. The Bridging Mechanism is designed to last in principle until 30 June 2021 – or until an adequacy decision is adopted. This appears to suggest a level of confidence on the part of the EU and the UK that the final adequacy decision will be adopted before 30 June this year.

The draft decision can be viewed here. At the same time, the European Commission adopted a separate draft adequacy decision with respect to the EU’s Law Enforcement Directive, which deals with the processing of personal data for law enforcement purposes.

Filed Under: Data Protection, International, Privacy, Regulation Tagged With: Adequacy, Brexit, European Union (EU), GDPR, United Kingdom

About Paul Greaves

Paul Greaves is an associate in the Brussels office and a member of the Privacy & Data Security Team. Paul’s privacy, information technology, and data protection practice includes a focus on compliance with the General Data Protection Regulation, ePrivacy rules, and cross-border data transfers.

[Read Bio]

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy & Data Security Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • The GDPR Reaches the US Supreme Court in Cert Petition
  • Another Court Dismisses Data Breach Class Action Lawsuit for Lack of Standing
  • NYDFS Reports Major Cybersecurity Settlement
  • Virginia Becomes First State with Comprehensive Privacy Law after CCPA
  • President Biden Issues Executive Order on America’s Supply Chains
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.