The European Data Protection Board confirms that the key provisions of the GDPR and the UK Data Protection Regulation (UK GDPR) are identical. However, the European Data Protection Board points out to the EU Commission that some data protection challenges exist. For example, under the Investigatory Powers Act (IPA) of 2016, security agencies and intelligence agencies in the UK have far-reaching powers and can make massive intrusions into technical devices.
On 20. May 2021, the European Parliament decided with a narrow majority against the adequacy decisions for the UK and demanded improvements.
After these two opinions, it was not clear for a long time whether the adequacy decision would come into effect before 01. July 2021 and whether the UK would thus be classified as an unsafe third country, which would have necessitated appropriate safeguards pursuant to Art. 46 GDPR for data transfers from the EU to the UK.
The adequacy decision, which was issued before the end of the transitional period, makes it easier for the companies and organizations concerned to transfer data to the UK. However, the EU Commission must review every four years whether the adequacy of the level of data protection continues to be guaranteed and extend the validity of the adequacy decision.
If you have any questions about GDPR-compliant data transfers to the UK or other third countries, please contact us here!