Adequacy decision: the United Kingdom is considered a secure third country effective immediately

Stefan Hessel

The EU Commission adopted two adequacy decisions  last week regarding data transfers between the EU and the United Kingdom (UK). These adequacy decisions were adopted both under the General Data Protection Regulation (GDPR) and under the Law Enforcement Directive.

Significance of Brexit for data transfers

Following "Brexit," the United Kingdom is no longer a member state of the EU or the European Economic Area (EEA) as of 1 January 2021. Accordingly, the UK is generally classified as a "third country" from the viewpoint of data protection law, so that companies transferring personal data to the United Kingdom are required to comply with Article 44 and the subsequent Articles of the GDPR (only in German). They are required to ensure that personal data in such third countries are subject to an adequate level of data protection which conforms to that of the GDPR. One way to establish an adequate level of data protection is for the EU Commission to issue an adequacy decision, in accordance with Article 45(3) of the GDPR. 

Impact of the adequacy decisions

These adequacy decisions, which take effect immediately, reflect a finding by the EU Commission that the level of protection for personal data in the United Kingdom, even after Brexit,  conforms to the level of protection which is guaranteed under EU law. They place transfers of personal data between the United Kingdom and the EU on a secure basis in data protection law for a long time to come.

Advantages of the adequacy decisions

Thanks to these adequacy decisions, companies transferring data to the United Kingdom may dispense with standard contractual clauses for the time being, unlike the case for data transfers to the US. This means that companies will not have to perform the costly risk analyses which are required when using standard contractual clauses.

Future developments

The adequacy decisions apply for a limited term of four years (the "sunset clause"), during which time the EU Commission plans to continue to observe the legal situation in the United Kingdom and to intervene in the event of deviations from the existing level of data protection. This step was taken in light of statements from critics of the adequacy decisions alleging that the powers available to national security authorities in the United Kingdom to access personal data are comparable to those of the US national security authorities which are criticized by the ECJ in the "Schrems II" ruling. Accordingly, we cannot entirely rule out the possibility that data transfers to the United Kingdom may be problematic in the future. But for the time being, the new adequacy decision creates legal certainty with regard to data transfers between the EU and the United Kingdom.

Data transfers to other third countries

The adequacy decision has no impact on data transfers to other third countries, such as e.g. the US. Companies engaging in such transfers should heed the new recommendations from the European Data Protection Board on "Schrems II", the new standard contractual clauses and the ongoing investigations being conducted by German data protection authorities.

Contact us anytime if you have any questions relating to existing third-country transfers.

[July 2021]