Draft adequacy update 2021

February 25th, 2021 Posted in Compliance, Data Protection

On 19th February 2021, the European Union (“EU”) Commission published its draft adequacy decision. Recognising the UK’s data protection regime effectively ensures an equivalent level of protection to that guaranteed under the General Data Protection Regulation (“GDPR”).

Another step closer to adequacy

This important next step follows the news on 24 December 2020 that the UK and the EU finally reached a decision under the draft EU-UK Trade and Cooperation Agreement. It was agreed personal data would continue to flow at the end of the transition period (31 December 2020) without any change for the next 6 months. This would allow the European Commission to complete its adequacy assessment of the UK’s data protection regime.

As a result, we are a step closer to confirmation that data will continue to flow, uninterrupted, from the EU and wider European Economic Area (“EEA”) to the UK. The UK has already recognised the EU and EEA member states as ‘adequate’, ensuring data can continue to flow from the UK to the EU without restriction.

What next?

The draft decision follows months of discussions and assessment of the UK’s data governance standards by its EU counterparts. Therefore, the draft decision will be welcomed by organisations in the UK (and likely by EU counterparts) as it looks like we will avoid the large amount of paperwork that would ensue in reviewing contractual arrangements if the UK was not to receive adequacy.

As part of the technical approval process, the European Data Protection Board (“EDPB”) is now required to provide their ‘non-binding opinion’ on the draft decision before it is presented to EU member states for formal approval. Following that, the EC could adopt the final adequacy decision for the UK.

Technical confirmation of the draft adequacy decision will allow UK businesses and organisations to continue to transfer personal data from the EU and EEA without the need for additional safeguards, for at least the next four years. After which, it will be possible to renew the adequacy finding if the level of protection in the UK continues to be adequate. As such, it is imperative that the UK does not backslide on its current approach which is looking ever more likely to be deemed adequate.


On 1st January 2021, the UK GDPR came into force by virtue of the snappily named ‘The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019’ (the “Exit Regulations”) which are available here. The effect of the Exit Regulations is to codify the GDPR into UK law with references to EU institutions and mechanisms changed for equivalent UK institutions and mechanisms. Given this, the UK GDPR is currently near identical to the EU GDPR but there will be divergence over time as the UK GDPR is not subject to the jurisdiction of the European Court of Justice (but the EU GDPR is).

What this means for data protection in the UK remains unclear. Some feel that we’ll remain aligned to EU data protection laws whereas others expect the UK government to take a different approach over time. A new Information Commissioner will be appointed this year as well, with Elizabeth Denham leaving her post on 31st October. Again, there is some speculation that the Government may take a different approach to ICO leadership but we’ll have to wait and see. In any event, If you trade or work in the EU as well as the UK, there will therefore be a need to monitor and comply with both regimes.

Need help?

If you have questions about post-Brexit data flows, or need input on representatives, we’d be happy to discuss these issues with you in more detail.


Raymond Orife Evalian 250x250

Written by Ray Orife

Ray specialises in data protection and information rights law. He is a qualified solicitor and worked in private practice and in-house in commercial law roles before focusing on data protection. Before joining Evalian™ he was in-house counsel and Data Protection Officer for a high street financial services organisation and their associated businesses. His qualifications include a First Class Honours Degree in Law, LPC (Distinction), Practitioner Certificate in Data Protection (PC.dp) and IAPP CIPP/E.