Skip to Main Content
Main Menu

Data Privacy Laws: United Kingdom Adequacy Decision

Annie Greenley-Giudici

Updates to UK Data Privacy Laws Post-Brexit

Data privacy laws that apply to organizations transferring data into and out of the United Kingdom (UK) continue to be updated since Brexit.

In general, the data protection rules in the European Union General Data Protection Regulation apply in the UK too, with some differences.

Some of the key dates include:

  • January 31, 2020 – the UK withdrew from the European Union (EU)
  • January 1, 2021 – Brexit applied in principle, triggering changes to many of the rules that apply between the UK and EU
  • May 1, 2021 – Brexit officially came into force and the UK became a third country under the General Data Protection Regulation (GDPR)
  • June 28, 2021 – the European Commission approved two adequate provisions related to data privacy for the UK: one under the GDPR and the other under the European law enforcement directive – these decisions apply for four years
  • September 2021 – the UK Government announced plans to grant adequacy decisions to international partners
  • July 18, 2022 – UK Data Protection and Digital Information Bill (143 2022-23) was introduced to update and simplify the UK’s data protection framework.
  • June 2025 – the European Commission’s data protection and privacy adequacy provisions for the UK will be up for renewal

UK Data Privacy Laws now Closer to Europe’s GDPR

The European Commission’s adequacy decisions confirm the UK offers a level of data protection that is essentially equivalent to that in the EU under the GDPR.

These decisions mean the data protection system in the UK post-Brexit will continue to be based on EU standards, just as it was when the UK was a member of the EU.

Therefore, personal data can continue to flow freely from the EU to the UK for four years (until June 2025), without the need for extra protections or regulator approval.

The free flow of data in the other direction, from the UK to the EU, had already been confirmed by the British government at the time the UK stopped being a member of the EU.

Learn more about how UK privacy laws changed after Brexit.

How does GDPR apply in the UK?

The EU’s GDPR introduced a wide ranging data privacy law for individuals and organizations based on the principle that ‘the protection of natural persons in relation to the processing of personal data is a fundamental right’.

The GDPR gives individuals in the EU more rights to access, delete and/or control the use of data relating to them.

The GDPR covers all interactions where data might be collected and/or analyzed inside the EU – it doesn’t matter where your company and its online channels are located.

Companies that want to transfer data across borders between the UK and the rest of the world must now ask every person they interact with online for the same kinds of permissions as they would in the EU.

The UK data protection system includes strong safeguards for access of personal data by public authorities in the UK.

Here are some of the main points to remember:

  • Data collected by intelligence agencies must (in principle) be authorized by an independent judicial body, and any measure must be necessary and proportionate to the objective (e.g., state security)
  • Any data subject (organization, company) that feels the surveillance was unlawful can take action in the Investigatory Powers Tribunal
  • The main exclusion is for data transfers related to the UK’s immigration control, which was considered as part of the GDPR adequacy decision
  • The UK still comes under the jurisdiction of the European Court of Human Rights and must adhere to the European Convention on Human Rights
  • Automatic processing of personal data must meet data privacy compliance rules set by the Council of Europe – this is the only binding international convention for data protection and was key to the adequacy decision
  • The European Commission will review data privacy compliance in the UK in June 2025 – and if the commission renews the adequacy decision, adoption of the EU GDPR rules will start all over again

Concerns Remain About Data Privacy laws in the UK

The European Commission’s adequacy decisions were made with little time to spare on June 28, 2021 – just two days before the Brexit transition arrangement for data protection expired on June 30, 2021.

On the plus side: organizations could rely immediately upon the adequacy decisions.

On the negative side: the commission set a sunset clause for the adequacy decisions to expire in June 2025, unless explicitly extended.

The main concerns with how the GDPR applies in the UK include:

  • More changes to GDPR compliance in the UK – The UK Government is pursuing an aggressive economic agenda to welcome foreign investments and so it believes the country needs more flexible data protection laws to support this aim.

    Since the European Commission announced the adequacy decisions the UK Government has continued to push for more flexibility in data privacy compliance obligations, including giving more room for organizations to use artificial intelligence.

    Critics of the UK Government’s plans for more flexible data privacy compliance have stated the GDPR is misrepresented as a mostly consent-based framework.

    Not surprisingly, the European Commission has made clear it is monitoring the UK’s data protection laws and practices, the handling of onward transfers from European data to non-European Economic Area countries (e.g., the US).

    If the Commission finds the UK allows real divergence from GDPR it can repeal the adequacy decision.

  • Challenges to the scope of UK government access and surveillance laws – Although the adequacy decisions considered these UK laws, both the European Parliament and the European Data Protection Board have raised multiple questions about the intrusive nature of the UK’s surveillance laws.

    Clearly the Belgacom hack by British spies has not yet been forgotten.

    Also, given the close cooperation between the US and UK services, some critics are surprised the UK’s data privacy laws were signed off by the European Commission less than a year after the decision of the Court of Justice to strike the Privacy Shield off the books.

    It is no secret several non-profit civil rights organizations are eyeing possible legal challenges to the commission’s decision.

The UK government’s publicly stated position on reform for data protection laws is to have them based on common sense – not box ticking for compliance in the EU.

Review your GDPR Dataflows that Involve the UK

Organizations handling personal data into or out of the UK can take the following actions:

  • Identify all processing activities involving GDPR personal data being transferred to the UK – even indirectly.
  • Stay on top of arrangements between UK processors and respective controllers or upstream processors. Even though the Commission’s adequacy decision generally means data can flow freely, the rules could change overnight, especially if the Court of Justice of the EU is asked for a decision.
    • A potential departure of British laws from the EU’s expectations will be easier to predict.
  • TrustArc customers can get updates about the legal situation in the UK via Nymity Research. There are few alternatives available, especially given the new standard contractual clauses for international transfers as adopted by the European Commission cannot be used if a processing operation is directly subject to the GDPR.

UK Data Privacy Laws Mean You Must Appoint UK and/or EU Representatives

Post-Brexit, organizations need to pay close attention to UK data privacy compliance requirements under Article 27 of both the EU GDPR and the UK GDPR – these provisions require organizations to appoint an official representative in the UK and/or EU if they are not physically established in the UK or EU respectively.

Here are some examples of how these rules apply:

  • A US organization with a UK subsidiary is now required to appoint an EU representative to comply with EU GDPR
  • An EU company doing business in the UK without a local establishment in the UK must appoint a UK representative to comply with UK GDPR
  • A Chinese company without any European base that previously relied on its EU representative will now need to add a UK representative to comply with UK GDPR

Learn from TrustArc about International Data Transfer Privacy Compliance

We know navigating international privacy regulations can be challenging, so we offer a range of guidance and services to help your organization manage data privacy compliance in other regions such as the UK and Europe.

Key Topics

Get the latest resources sent to your inbox

Back to Top