Just two days before the bridging provisions in last December's Trade and Cooperation Agreement were due to lapse, the European Commission has confirmed that it has adopted adequacy decisions in respect of the UK. By these decisions, the Commission has determined that the UK offers an adequate level of protection of personal data, such that transfers of such data from the EEA to the UK can be made without any further specific authorisation. The decisions relate both to General Data Protection Regulation (GDPR) and the Law Enforcement Directive (which deals with data in a law enforcement context).
The decisions will be greeted with relief by organisations who do business with European Union member states. If they had not been made, the cost to business, and to the economy in general, would have been enormous.
By making the decisions, the Commission has accepted that the UK respects the rule of law, access to justice and international human rights norms as well as accepting the UK's general and sectoral law, including legislation concerning public security, defence and national security, public order and criminal law.
However, and uniquely, these adequacy decisions contain a "sunset clause", under which they will expire after four years, and must be reassessed and renewed at that point.
It is also important to note that the decisions are not without their critics, and it is possible that there may be legal challenges, which could ultimately end up at the European Court of Justice. What is certain that the topic of international transfer of personal data will continue to exercise businesses – and lawyers – for some time to come.