The Three Deaths of EU-UK Data Adequacy

Author (Person) ,
Series Title
Publication Date November 2021
Content Type


European and British businesses can still freely transfer personal data between the EU and UK.  The British government retained the EU’s General Data Protection Regulation (GDPR) in domestic law, and said it would continue to allow free data transfers to the EU. And the European Commission decided that the UK would continue to provide an adequate level of protection of personal data, thereby allowing data flows to continue without any new safeguards. There are three scenarios, any one of which could kill the EU’s adequacy decision: the European Court of Justice (ECJ) ruling that the UK’s intelligence gathering should have prevented the Commission granting adequacy; the Commission choosing to withdraw adequacy because the UK diverges too far from the GDPR in the future; or the UK unilaterally deciding to allow seamless transfers between the UK and third countries, which would probably compel the Commission to revoke the adequacy decision. Navigating these risks is likely to become increasingly politically costly for the UK government. The question is not if smooth data transfers will end, but rather when, and how.

Source Link
Alternative sources
Related Links
ESO Records
EPRS: At a Glance: May 2021: International transfers of personal data
EPRS: In-Depth Analysis: Apr. 2021: EU-UK private-sector data flows after Brexit: Settling on adequacy
CER Bulletin: Apr./May 2021: Post-Brexit Data Transfers Are Not a Done Deal

Subject Categories ,
Subject Tags , ,
Keywords ,
Countries / Regions
International Organisations
Record URL