The EU has today confirmed that an Adequacy Decision for the UK has been approved, this means that organisations based in the EU can transfer personal data to the UK without falling foul of the GDPR, or requiring additional safeguards to be in place.
As reported by Lawspeed in January, the EU and UK, as part of the Brexit deal, agreed to extend existing data protection arrangements relating to the transfer of data between the EU and the UK for a 6 month transition period whilst the EU considered an adequacy decision for the UK. This period was due to expire on 30th June 2021 and, whilst there was a widely held view that the decision was a formality, given that the UK has adopted the EUs own GDPR, businesses were getting concerned at the lack of confirmation, with some starting to face difficulties with EU based clients.
However, the adequacy decision has now been confirmed, and a statement from the Information Commissioners Office (ICO) on the matter can be found here.
What this means in practice is that clients, and other organisations, based in the EU can continue to transfer data to the UK without having to put additional standard EU contractual conditions in place.
The adequacy decision is, unusually, for a fixed period of 4 years, thus allowing the EU scope to change its view should UK data protection arrangements change. However, this is something that anyone dealing with EU clients, contract and compliance will surely welcome as easing administrative burdens.