Ade­quacy decis­i­on: the United King­dom is con­side­red a secu­re third coun­try effec­ti­ve immediately

The EU Com­mis­si­on adopted two ade­quacy decis­i­ons  last week regar­ding data trans­fers bet­ween the EU and the United King­dom (UK). The­se ade­quacy decis­i­ons were adopted both under the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) and under the Law Enforce­ment Direc­ti­ve.

Signi­fi­can­ce of Brexit for data transfers

Fol­lo­wing “Brexit,” the United King­dom is no lon­ger a mem­ber sta­te of the EU or the Euro­pean Eco­no­mic Area (EEA) as of 1 Janu­ary 2021. Accor­din­gly, the UK is gene­ral­ly clas­si­fied as a “third coun­try” from the view­point of data pro­tec­tion law, so that com­pa­nies trans­fer­ring per­so­nal data to the United King­dom are requi­red to com­ply with Artic­le 44 and the sub­se­quent Artic­les of the GDPR (only in Ger­man). They are requi­red to ensu­re that per­so­nal data in such third count­ries are sub­ject to an ade­qua­te level of data pro­tec­tion which con­forms to that of the GDPR. One way to estab­lish an ade­qua­te level of data pro­tec­tion is for the EU Com­mis­si­on to issue an ade­quacy decis­i­on, in accordance with Artic­le 45(3) of the GDPR. 

Impact of the ade­quacy decisions

The­se ade­quacy decis­i­ons, which take effect imme­dia­te­ly, reflect a fin­ding by the EU Com­mis­si­on that the level of pro­tec­tion for per­so­nal data in the United King­dom, even after Brexit,  con­forms to the level of pro­tec­tion which is gua­ran­teed under EU law. They place trans­fers of per­so­nal data bet­ween the United King­dom and the EU on a secu­re basis in data pro­tec­tion law for a long time to come.

Advan­ta­ges of the ade­quacy decisions

Thanks to the­se ade­quacy decis­i­ons, com­pa­nies trans­fer­ring data to the United King­dom may dis­pen­se with stan­dard con­trac­tu­al clau­ses for the time being, unli­ke the case for data trans­fers to the US. This means that com­pa­nies will not have to per­form the cos­t­ly risk ana­ly­ses which are requi­red when using stan­dard con­trac­tu­al clauses.

Future deve­lo­p­ments

The ade­quacy decis­i­ons app­ly for a limi­t­ed term of four years (the “sun­set clau­se”), during which time the EU Com­mis­si­on plans to con­ti­nue to obser­ve the legal situa­ti­on in the United King­dom and to inter­ve­ne in the event of devia­ti­ons from the exis­ting level of data pro­tec­tion. This step was taken in light of state­ments from cri­tics of the ade­quacy decis­i­ons alle­ging that the powers available to natio­nal secu­ri­ty aut­ho­ri­ties in the United King­dom to access per­so­nal data are com­pa­ra­ble to tho­se of the US natio­nal secu­ri­ty aut­ho­ri­ties which are cri­ti­ci­zed by the ECJ in the “Schrems II” ruling. Accor­din­gly, we can­not enti­re­ly rule out the pos­si­bi­li­ty that data trans­fers to the United King­dom may be pro­ble­ma­tic in the future. But for the time being, the new ade­quacy decis­i­on crea­tes legal cer­tain­ty with regard to data trans­fers bet­ween the EU and the United Kingdom.

Data trans­fers to other third countries

The ade­quacy decis­i­on has no impact on data trans­fers to other third count­ries, such as e.g. the US. Com­pa­nies enga­ging in such trans­fers should heed the new recom­men­da­ti­ons from the Euro­pean Data Pro­tec­tion Board on “Schrems II”, the new stan­dard con­trac­tu­al clau­ses and the ongo­ing inves­ti­ga­ti­ons being con­duc­ted by Ger­man data pro­tec­tion aut­ho­ri­ties.

Cont­act us any­ti­me if you have any ques­ti­ons rela­ting to exis­ting third-country transfers.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.