Legal 101

Post-Brexit Data Sharing 

Catherine Boxall
July 19, 2021
Post-Brexit Data Sharing 

Post-Brexit Data Sharing. 

Adequacy Decision of the European Commission on UK Data Protection Law. 

The European Commission decided on the future of UK data protection law on the 28th June 2021, answering the significant question that has remained post-Brexit as to how digital information will flow between the UK and Europe. The Commission has permitted UK access to EU data. 

In its decision, the European Commission deemed that the UK’s data protection laws offer “adequate” protection of personal data. The Commission was of the view that the UK had incorporated the majority of the EU GDPR and Law Enforcement Directive into the Data Protection Act 2018 and that the ‘UK GDPR’, created by the 2019 Data Protection Regulations, was therefore adequate. The UK has reciprocally deemed the EU and EEA data policy as “adequate”.

The decision is crucial in ensuring the seamless transfer of data between the UK and the EU in a post-Brexit world and has prevented the need for costly and time-consuming data sharing infrastructures to be devised had the UK’s policy been considered inadequate. Due to this, UK businesses can carry on receiving personal data- which is crucial for trade, innovation, investment and services- without having to take extra precautions or diverge from UK data protection policies when dealing with EU-related data points. 

Had the UK GDPR been viewed as ‘inadequate’, personal data transfers between EU Member States and the UK would be governed by stringent rules that require the sender of data to verify that they have implemented “appropriate safeguards”. Parties to such data transfers would have to incorporate data protection clauses into their contracts, including costly and time-consuming data protection impact assessments (DPIA). 

The Commission’s “adequacy” decision is by no means conclusive. Its decision only remains in effect for four years and will then be reviewed under a unique sunset clause. The sunset clause limits the duration of the adequacy to four years and after which point, the decision will expire automatically. The inclusion of this sunset clause is a first in the Commission’s adequacy decisions and it has made explicit that if it sees a lapse in the standards of protection it will intervene immediately. After four years, the Commission can decide whether or not to renew its decision whereby the adoption process would restart.

As mentioned above, the decision means that DPIAs do not need to be carried out to permit the transfer of data between the UK and EU Member States. For businesses that hire and operate across Europe this means that they do not need to adopt complex data protection policies for their staff and clients in EU Member States. 

For letting agents, whilst Brexit has meant changes to the Right to Rent checks for citizens from the European Economic Area (which you can read about here), the Commission’s adequacy decision is welcomed as it means that letting agents can continue to operate their data policies in the same way as before. For an overview of what obligations the UK GDPR imposes on letting agents, view our blog post. 

Legislate keeps ahead of these legal changes so you don’t have to. Our suite of lawyer-approved contracts put the confidence back into contracting. You can view our contracts here

To start Legislating today, book a demo with a member of our team or sign up

The opinions on this page are for general information purposes only and do not constitute legal advice on which you should rely.

Subscribe to our monthly Blog updates
Go button
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.