The EU Commission has adopted an adequacy decision for the UK under the General Data Protection Regulation (GDPR). Personal data can now be freely transferred from the EU to the UK where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.
On 30 December 2020, the EU and the UK signed a Trade and Cooperation Agreement (Trade Deal) which set out their future relationship following Brexit. Under the Trade Deal, it was agreed that businesses can continue to transfer personal data from the EU/EEA to the UK for up to 6 months after 1 January 2021 or until an adequacy decision was adopted. The adequacy decision was adopted by the Commission on 28 June.
- The UK's data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. The UK has fully incorporated the principles, rights and obligations of the GDPR into its post-Brexit legal system.
- The UK has in place strong safeguards with respect to access to personal data by public authorities in the UK, notably for national security reasons, with oversight by an independent judicial body, a requirement for proportionality and recourse to an Investigatory Powers Tribunal for affected individuals.
- The UK is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is the only binding international treaty in the area of data protection.
- The adequacy decision will automatically expire after four years. After that, the adequacy decision may be renewed, if the UK continues to ensure an adequate level of data protection.
- The Commission will continue to monitor the legal situation in the UK and can intervene at any point if the UK deviates from the current level of protection.
View the adequacy decision here