Ensuring the free flow of EU-UK data transfers

What is an adequacy decision?

Personal data is not protected everywhere in the world at a level that we are used to in the EU. Within the EU, one set of rules applies: the GDPR. That is why it is possible to process personal data or to have it processed in, for example, Finland or Cyprus. Different rules apply for transfers to a country outside the EU. Third countries are all countries outside the EU, with the exception of the countries in the European Economic Area (EEA). Iceland, Liechtenstein and Norway are within the EEA. Transfer of personal data from the Netherlands to a third country is in principle only allowed if the third country offers an adequate level of data protection.

The European Commission can make an adequacy decision if a third country provides an appropriate level of data protection in national law. This means that the European Commission has determined that the country offers a comparable level of data protection to the GDPR. The list of countries with an appropriate level of protection can be found here. 

Assessment on data protection

In the last few months the European Commission has assessed the UK law and practice on data protection. The results of this assessment were published in two draft adequacy decisions for the UK: one under the GDPR and the other under the Law Enforcement Directive. In the draft decisions the EU Commission concluded that the UK provides an adequate level of protection for personal data. After this, the European Data Protection Board provided a non-binding opinion on the EU Commission's conclusions. Next to this, a committee of representatives from member states had a final say on whether the draft decisions could be formally adopted. Lastly, the adequacy decisions were formally adopted.

Sunset clause

Interesting to note is that the EU Commission included a sunset clause, which means that the adequacy decisions will automatically expire after four years. After this time, the adequacy findings might be renewed, but only if the UK continues to ensure an adequate level of data protection. During these four years, the EU Commission will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. 

What does this mean for your organisation?

With the adequacy decisions, clarity to organisations has been given on how to proceed with EU-UK data transfers after 1 July 2021. Organisations in the EEA can now freely transfer personal data to the UK without additional safeguards in place, such as Binding Corporate Rules or Standard Contractual Clauses. This still means your organisation has to comply with the GDPR standards by:

1. Updating your register and record internally on the basis of which the data will be transferred to the UK.
2. Adjusting the privacy statement to inform your data subjects accordingly.
3. Ensure the rest of your third party risk management process is still up to date.

Brexit-desk PwC

The PwC Brexit specialists can help you determine the exact criteria that need to be met. They can also assist in setting up processes in order to ensure your business meets the new requirements for EU-UK data trasnfers.