After the "Brexit", a six-month transition period applied to the unrestricted transfer of data between the UK and EEA states. Without a succeeding regulation, the UK would have had to be qualified as an unsafe third country from the end of June 2021, which would have had serious implications for the transfer of personal data.

For this reason, the European Commission issued an "adequacy decision" on June 28, 2021, according to which a level of data protection applies in the UK that is equivalent to the level of protection guaranteed under EU law. Accordingly, personal data from the EU (as well as from Norway, Liechtenstein, and Iceland) may continue to be transferred to the UK without additional protective measures. Transfers to the UK are thus equivalent to data transfers within the EU (which also applies, e.g., to Argentina, Canada, Israel, Japan, Switzerland, and Uruguay).

The issuance of the adequacy decision does not really come as a surprise. Data protection law in the UK is still based on the same principles as before Brexit. However, the adequacy decision contains a sunset clause for the first time, limiting its validity to four years. After that, it can be renewed, provided that the UK continues to ensure an adequate level of data protection. During these four years, the European Commission will closely monitor the legal situation, particularly with regard to the activities of the British intelligence agencies and their cooperation with the U.S. intelligence agencies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.