5 months since the draft decisions on UK adequacy were first published, the European Commission has confirmed the Decision to grant the UK adequacy.

Broadly (there are some, hopefully temporary, limits on immigration-related data), data can continue to flow freely between the UK and the EEA without the need for additional measures that non-adequate third countries need to put in place. The sunset clause which limits the duration of adequacy to four years at which point it automatically expires remains in the final decision (although the adequacy decision can always be renewed – this would of course depend on the level of data protection divergence that took place in that time).

While many will see this as a reason to celebrate, there are some who are more reticent, ready for the potential challenge to the decisions. It is hoped that the Court of Appeal’s findings in the recent Open Rights Case (which declared the Data Protection Act 2018’s immigration exemption to be unlawful) and the UK government’s subsequent amendment to the legislation, will help to partially ease concerns. However, with surveillance concerns remaining (at least in some minds), one cannot discount a privacy activist testing the waters (Schrems III perhaps or time for someone else to take up the mantle?).

Let’s look at the positive side though - the UK has a finding of adequacy from the EU, and within the 6 months bridging timeline. This is no mean feat. Many recognise the importance of the digital economy to both the UK and the EEA and believe pragmatism, and the need to rebuild post-pandemic, have seen these decisions marshalled to a successful conclusion.

So what next?

It’s time to appreciate the cliff edge of the 30 June 2021 is behind us. We can at least breathe a sigh of relief for now that, until the 4 year review period rolls around in June 2025, or a potential challenge reaches a successful conclusion (which should take years to be heard), we have certainty on transfers between the EEA and the UK. This is some cause for celebration at least.


Věra Jourová, Vice-President for Values and Transparency, said: “The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today… we have significant safeguards and if anything changes on the UK side, we will intervene”. This comes at a time shortly after a recommendation by the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) that the UK should diverge from the GDPR and embrace an approach a more common law approach to data protection. While there has been no suggestion from the government that this recommendation will be adopted, the UK will need to weigh the perceived benefit of any divergence against the risk of a removal of the adequacy decision.