What is the data adequacy agreement between the EU and UK?
Posted 3 years ago
In June 2021, The European Union (EU) formally recognised the UK’s high data protection standards after more than a year of talks, allowing the continued seamless flow of personal data from the EU to the UK.
Transferring data between countries within the EU is unrestricted, as every country has the same standard of data protection under the GDPR. However, if an EU country wants to transfer data outside of the EU, then certain safeguards must be in place.
Countries outside of the EU are referred to as a “third country”.
There are three tiers of safeguards, with the highest being the Adequacy Decision. This is where the EU Parliament has decided that a particular non-EU country’s own data laws offer an equal or greater level of protection as the GDPR.
If an Adequacy Decision is in place then data transfers can take place completely unrestricted (as if the non-EU country was actually an EU country).
What’s the difference between an adequacy agreement, adequacy decision and an adequacy period?
An “Adequacy Agreement” and an “Adequacy Decision” are basically the same thing.
When the UK left the EU and we brought the GDPR into UK law, we changed the name from “Adequacy Decision” to “Adequacy Agreement” . It’s exactly the same, but instead of being the EU Parliament making the decision, it’s the UK Government.
The Adequacy Period, on the other hand, is a little bit different. When the UK left the EU, it became (to the EU) a third-country, meaning that data transfers would become restricted. To go suddenly from unrestricted data transfers to then needing to make sure a whole raft of safeguards were in place, would have been detrimental to all manner of businesses and services across both the UK and the EU.
So, when the UK left the EU at the end of January 2020, we didn’t completely leave immediately. Instead, we entered a period of transition where we weren’t technically part of the EU any more but all of its laws and regulations (including the GDPR still applied). During this transition period, the UK government and EU Parliament were to thrash out a trade deal (which would include the details of future data sharing between the two regions).
However, by the end of 2020 and the end of the transition period, there was no such data sharing agreement in place. The UK government had already agreed to accept unrestricted data transfers to and from the EU but the EU Parliament had not reached its own decision on UK data transfers. Whilst the EU continued to ponder the granting of an Adequacy Decision a deal was made whereby data transfers would continue unrestricted between the UK and EU for a period of 4 months from 1st January 2021, with an option to extend for another couple of months. This was known as the Adequacy Period.
Ultimately, the EU voted in favour of granting the UK an Adequacy Decision and the Adequacy Period came to an end. Data can continue to flow freely between the two regions for the foreseeable future.
Online GDPR Training
Here at iHasco, we offer a number of Online Cyber Security & GDPR Training courses, including:
- GDPR UK Essentials Training (EU version also available)
- GDPR UK Advanced (Management) Training (EU version also available)
- GDPR UK in Education Training
- Cyber Security Awareness Training
- Fraud Awareness and Prevention Training
These courses are designed to help your employees work towards legislative compliance, and they provide the user with a printable certificate upon completion.
Claim your free, no-obligation trial to any of the courses today!
James Kelly
Senior Scriptwriter
Related articles
Opt-in to our newsletter
Receive industry news & offers