Right before the extended transition period will expire at the end of June, the EU Commission adopted the awaited adequacy decision for the UK on June 28, 2021 (available here). This allows companies to continue transferring personal data to the UK without additional security measures. The adequacy decision will expire on June 27, 2025, but the EU Commission may extend its validity.

Background

After the UK's exit from the EU, the EU Commission had waited a long time to adopt an adequacy decision for the UK pursuant to Article 45 (3) of the EU General Data Protection Regulation (GDPR). Such an adequacy decision is necessary to allow companies to transfer personal data to entities outside the EU / EEA without additional security measures. Considering that the UK had largely adopted the requirements of the GDPR in a UK-GDPR after leaving the EU, the extended delay of the EU Commission is to be understood rather politically.

Practical significance

The EU Commission's decision makes it easier for companies to transfer data to the UK. In particular, companies do not have to conclude EU standard contractual clauses to secure such transfers (see our report on current developments). Nevertheless, an independent justification under data protection law is of course still necessary for data transfers to third parties even with the adequacy decision. All other requirements of the GDPR also continue to apply.

In view of the UK's role in the NSA scandal, it is quite possible that the decision will be reviewed by the ECJ sooner or later. However, in the mid-term at least, it offers companies a high level of security when transferring data to the UK. Companies will, therefore, not have to make any additional adjustments to their international data transfers in addition to those that have been necessary since the ECJ's Schrems II ruling.