The EU Commission has today confirmed that the UK has been granted adequacy with effect from today’s date. This will be very welcome news for businesses that transfer data between the UK and the EU and it marks the end of transfer contingency planning for many. Two decisions have been adopted, one under the GDPR and another under the Law Enforcement Directive.
Today’s decision means that data can continue to be freely transferred from the EU to the UK as it currently is and that there is no need for safeguards, such as SCCs, to be put in place for these transfers. Data transfers from the UK to the EU continue to be permitted under the UK’s adequacy regulations in respect of the EU.
The adequacy decisions are the first to include what is known as a ‘sunset clause’ which means they are limited in duration to a period of four years. This means they will expire on 27 June 2025 unless they are extended. Prior to their expiry date the EU Commission will monitor the level of protection provided for data in the UK.
It is of course still necessary to put safeguards in place for data transfers from the EU or the UK to third countries which are not deemed to offer an adequate level of protection as these transfers will not be affected by today’s decision. Where data is being transferred from the EU to third countries, you should consider whether it is necessary to put in place the new EU SCCs - further information about the new SCCs is available at here.
If you require assistance with SCCs or data protection law generally, please contact the Corporate and Commercial department at 3CS or your usual 3CS contact.