Insights

Post-Brexit data transfers: EU draft GDPR UK adequacy decision

Posted Tuesday 9th March 2021

On Friday 19 February 2021, the European Commission published a draft adequacy decision in respect of the UK’s data protection regime which, if approved, will allow personal data to continue to be transferred from the EU to the UK without any additional safeguards. The draft decision was widely anticipated following a number of leaks – and given the political pressure on both sides of the Channel – but it has nonetheless been met with relief both by the UK government and businesses.

The current state of play: data transfers under the EU-UK trade agreement

Following the end of the Brexit transitional period, the UK became a ‘third country’ for the purposes of the EU GDPR, meaning that absent an adequacy decision, data transfers would not be able to continue without data protection safeguards being put in place.

After numerous rounds of negotiation, on 30 December the UK and the EU signed the UK-EU Trade and Co-operation Agreement. That agreement instituted a stop-gap solution known as the ‘adequacy bridge’ under which cross-border data transfers could continue as if the UK were still a member of the EU, effectively operating as a short-term adequacy decision. This interim solution was due to expire on 30 April 2021 with the possibility of an extension for a further two months up to 30 June 2021. The purpose of the bridge was to provide the European Commission the time it needed to review the UK data protection regime and, all being well, for it to make a finding of adequacy, which thankfully it now has.

Adequacy decisions explained

The GDPR provides that the European Commission can approve a third country’s data protection framework as ‘adequate’ (i.e. offering protections equivalent to the GDPR.) If the adequacy decision is formally adopted by the EU then personal data may be transferred between the EU and the third country provided only the local laws and the GDPR are complied with. If there is no adequacy decision then the data exporters and importers need to utilise ‘safeguards’ to provide further protection to EU data subjects, the most commonly used being the standard contractual clauses and binding corporate rules, as well as the additional checks and compliance considerations that go with them.

Given that UK data protection laws are – for now at least – essentially copied and pasted from EU law, an adequacy decision has been expected, but the decision was not being taken for granted given that the criteria for adequacy has tightened in the wake of various data protection decisions from the Court of Justice of the European Union (CJEU), particularly the much publicised Schrems II and Privacy International judgments which overturned the adequacy decision given in respect of the EU-US Privacy Shield.

The UK government has stated that it views the EU regime as being equivalent to that of the UK as a matter of fact and it is therefore expected that a formal adequacy decision by the UK will also be made in order to allow data transfers from the UK to the EU to continue.

Key points of the draft adequacy decision

  1. If the adequacy decision is adopted (see What happens next? below) then, provided the data exporter in the EU and the data importer in the UK follow the EU and UK GDPR respectively, they will not need to take any further steps to transfer personal data from the EU to the UK.
  2. The adequacy decision will be valid for four years, after which it will be reviewed again by the Commission. It may also be reviewed earlier by the CJEU in the event that it is challenged in court. The adequacy decision will also be continuously monitored by the EC during its term.
  3. In order to maintain the finding of adequacy and ensure that it is renewed, the UK must keep legislation in place that offers an adequate level of data protection that is equivalent with the EU GDPR – that is, there cannot be material divergence. We do not know whether the UK government will continue to closely align data protection rules with the EU but, in the event that there is a divergence, the adequacy decision may be put at risk.

What happens next?

The release of the draft adequacy decision is just the first step in the process. It will now be reviewed by the European Data Protection Board (EDPB) which will deliver an opinion on it and it will then be submitted to representatives of EU Member States for approval (the ‘comitology’ procedure). The draft may be amended based upon the EDPB’s feedback. While the decision is under review, however, data can continue to be transferred from the EU to the UK under the adequacy bridge. After the EDPB issues its final opinion, the European Commission will adopt the decision.

Given the impending expiry of the adequacy bridge the EU is under pressure to approve the decision quickly. In making the recent Japanese adequacy decision the comitology stage took four months from the publication of the draft to the final decision while the decision process as a whole took two years. It remains to be seen how well the EU will cope with the unusually tight timing constraint.

Do I need to do anything?

If the decision is adopted in its current format it will allow personal data to be transferred from the EU to the UK without additional safeguards. The UK would join the currently-short list of approved “third countries” alongside Israel, Switzerland, New Zealand, Japan and a few others.

It should be noted, however, that cross border data transfers are often made in order for the data to be processed in some manner, such as being held on cloud storage or for analysis. Wherever processing is being undertaken by a third-party data processor there is a requirement under the GDPR for a written agreement to be in place – if there isn’t then the processing is in breach of the GDPR. This is an important point to bear-in-mind.

EU data exporters, and data importers based in the UK who receive data from the EU, will, generally speaking, not need to make any changes to their agreements if they already have GDPR compliant documents in place. They should, however, always keep their data processing under review and if any new types of data processing are being carried out or if the purpose or types of data that are being processed have changed then the agreements and privacy policies may need to be updated.  Please do not hesitate to contact us should you require any support in this area.


This article is for reference purposes only. It does not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking or deciding not to take any action.


Share this article

Certified B Corporation