On 28 June 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (GDPR) (here) and the other under the Law Enforcement Directive (here). This follows draft versions that were published by the European Commission on 19 February 2021. 

The new adequacy decisions have been adopted by the European Commission just in time. The interim bridging mechanism under the EU-UK Trade and Cooperation Agreement, which permitted personal data to be transferred from the EU to the UK following the end of the Brexit transition period, expires on 30 June 2021. 

The new adequacy decisions mean that personal data can continue to be transferred from the EU to the UK without additional steps such as the Standard Contractual Clauses being put in place to address such transfers. 

However, the adequacy decisions include a "sunset clause", which limits the duration of the decisions. Therefore, the adequacy decisions will automatically expire four years after they enter into force. This means the adequacy decisions will expire on 27 June 2025. After this period, the adequacy findings may be renewed, but only if the UK continues to ensure an adequate level of data protection. The European Commission will monitor the legal position in the UK during this four year period and can suspend, repeal or amend the adequacy decisions, for example if the UK deviates from the level of data protection currently in place. These are clear warnings to the UK regarding future changes to UK data protection laws. This is particularly relevant in light of the recent report from the Taskforce on Innovation, Growth and Regulatory Reform which included proposals to the Prime Minister on reforms to UK data protection laws (you can read more in our update here).  

Transfers of personal data for the purposes of UK immigration control are not within the scope of the adequacy decisions under the GDPR. This is in light of the recent judgement of the Court of Appeal which held that the "immigration exception" under Schedule 2 of the UK Data Protection Act 2018 was not compliant with the GDPR. The European Commission will reassess the need for this exclusion once this has been remedied under UK laws.