Since the 1st of January 2021, the United Kingdom has left the European Union. While a trade agreement has been signed, nothing has initially been provided for the transfer of personal data between Europe and the United Kingdom.

On 19 February, the Commission published two draft adequacy decisions:

  • One was on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”); and
  • The other on Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data.

These two adequacy decisions were definitively adopted on 28 June 2021. The European Parliament and Commission confirm that the United Kingdom offers a level of security sufficient for the protection of personal data. The United Kingdom has fully incorporated in its post-Brexit legal system the principles, rights and obligations of the GDPR and the directive on data protection with respect to law enforcement.

This good news for maintaining UK-UE relations, particularly with Luxembourg, will simplify the important flow of personal data between our two countries.

A big innovation has been integrated into these adequacy decisions, the sunset clause. Thus, the validity of the adequacy is limited to 27 June 2025, the date on which it will cease to be effective unless it has been reassessed beforehand. The sunset clause, in line with the permanent reassessment obligation set by the GDPR, is a welcome advance in personal data protection.

You can find the GDPR adequacy decision here, and the adequacy decision on the directive on the protection of personal data in law enforcement here.