EU and UK data flows

Draft agreements have been published which, if ratified, should allow for a continued free flow of personal data from the EU into the UK.

Is this an issue? Well, yes. Since the UK left the EU and the conclusion of the transition period, the UK is now considered to be a ‘third country’ for the purposes of the EU General Data Protection Regulation (GDPR). This means that unless the European Commission awards the UK a Certificate of Adequacy (confirming that the UK’s national data protection regime is of sufficient standard to allow data transfer), additional safeguards and provisions would have to be taken by each individual business, in relation to each individual transfer of data from the EU to the UK.

On 17th February the EU published draft data adequacy decisions which recognise the sufficiency of the UK’s data protection standards. Positive data adequacy decisions under both the GDPR and the Law Enforcement Directive (LED) would allow for personal data to continue to flow freely from the European Union (EU) and wider European Economic Area (EEA) to the UK. Confirmation of the draft adequacy decisions will help make sure UK organisations can continue to receive personal data from the EU and EEA without additional compliance costs.

This is not a done deal yet. The draft adequacy decisions have subsequently been adopted by the European Data Protection Board which identified many aspects of the UK regimes as essentially equivalent to the EU (but also warned that such alignment must be maintained and monitored). EU member states must now give their formal approval. Once implemented the adequacy decision will be reviewed every four years and extended on a rolling basis provided there is no later divergence between the EU and UK regimes. 

Currently EU/EEA to UK transfers of data are operating under a bridge scheme legislated for in the UK-EU Trade and Cooperation Agreement (TCA). This scheme extends the free flow of personal data between the EU/EEA and the UK for up to six months, ending at its latest on the 30 June 2021. It has facilitated the free flow of personal data from the EU/EEA to the UK without additional compliance measures such as Standard Contractual Clauses.