Adequacy for the UK is good news. It will enable the free flow of data from the EU to the UK to continue.
Without UK adequacy, substantial extra compliance burdens would have arisen for EU businesses who transfer data to the UK, at a time when many can ill afford it. The burden of transferring data to third countries in the absence of an adequacy decision has increased following the Schrems II case. For example, transfer impact assessments require companies to conduct "mini adequacy assessments" of countries to which data is transferred, using the same criteria as the European Commission when conferring adequacy decisions. That means assessing the data protection framework in the third country as well as its international commitments and respect for the rule of law, access to justice and international human rights norms (see Article 45(2) of the GDPR). These are complex considerations and particularly difficult for SMEs to comply with.
The finding that the UK is adequate is not surprising. The UK is a recently-departed Member State. A negative adequacy finding for the UK would have set the bar for adequacy impossibly high. It would have created substantial difficulties for the EU in conferring new adequacy decisions (for example on South Korea or on certified US companies under any replacement for Privacy Shield). It could have also proved a barrier to continuing existing adequacy decisions. These are currently being reviewed by the European Commission.
Sign up to our email digest