EU finds UK has adequate protections for personal data

ByRob Bratby Posted on Data Protection, EU, Telecoms Regulation, UK

This article was published in June 2021 and reflects the regulatory position at that time. For current guidance on this topic, contact Bratby Law or see our latest insights.

EU finds UK has adequate protections for personal data - Bratby Law

Quick answer. The European Commission adopted an adequacy decision for the UK on 28 June 2021 under Article 45 GDPR, allowing continued free flow of personal data from the EU and EEA to the UK. The original decision was granted for four years. It was renewed by the European Commission on 19 December 2025 and now runs until 27 December 2031.

On 28 June 2021, the EU Commission found that the UK provides adequate protection for personal data, enabling personal to freely flow from the EU (and EEA) to the UK.

Editorial note (April 2026): The EU adequacy decision for the UK was adopted on 28 June 2021 for a period of four years, expiring on 27 June 2025. It was subsequently extended.

Background

European privacy law (specifically articles 44-50 of the General Data Protection Regulation (GDPR)) prohibits the export of personal data from the EU to a third country unless the data exporter can ensure that ‘the level of protection of natural persons‘ is the same after export as within the EU.

GDPR sets out alternative ways in which the legally required protection for exported personal data can be achieved:

  • first, the EU could find that the third country’s laws provide adequate protection (article 45 GDPR) and personal data may be exported on that basis.
  • second, personal data may be exported where appropriate safeguards are put in place with enforceable data subject rights and effective legal remedies for data subjects are available (article 46(1) GDPR). GDPR specifies what appropriate safeguards may be used:
    • legally binding and enforceable instrument between public authorities or bodies (art 46(2)(a))
    • binding corporate rules (art 46(2)(b))
    • use of standard data protection clauses adopted by the EU Commission (art 46(2)(c))
    • use of standard data protection clauses adopted by national regulator and approved by the EU Commission – i.e. SCCs (art 46(2)(d))
    • an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (art 46(2)(e))
    • an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (art 46(2)(f))
    • subject to approval by a national regulator, contractual clauses and/or cross border administrative arrangements (art 46(3)
  • Finally, there are limited derogations (art 49) which allow the export of personal data in the following circumstances. However, EDPB regulatory guidance makes it clear that these are ‘exceptional’ and should not be relied on for routine ‘business as usual’ data export.

Subscribe below to receive new Bratby Law articles direct to your inbox. For specific advice, contact Rob Bratby at Bratby Law.

Primary sources

Select topics of interest
Rob Bratby

Lawyer

Telecoms | Data | Payments | Managing Partner, Bratby Law | Fractional General Counsel | Chambers-ranked telecoms lawyer

Similar Posts