Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

European Data Protection Board Issues Opinions on European Commission’s Draft UK Adequacy Decisions

By Mark A. Prinsley, Oliver Yaros, Dr. Ulrich Worm, Björn Vollmuth, Ana Hadnes Bruder, Ondrej Hajda & Reece Randall on April 27, 2021
Email this postTweet this postLike this postShare this post on LinkedIn

On 13 April 2021, the European Data Protection Board (“EDPB“) adopted two opinions  (“Opinions“) concerning draft UK adequacy decisions published by the European Commission which would permit the free flow of personal data from the European Economic Area (“EEA“) to the UK in the post-Brexit world. The Opinions largely support the draft UK adequacy decisions and represent a positive step towards adoption of formal UK adequacy decisions. Nonetheless, organisations which transfer personal data from the EEA to the UK should continue to monitor the developments and keep planning for the possibility that the adequacy decisions, if adopted, could be withdrawn after the initial four-year period (or even earlier) or overturned by the Court of Justice of the European Union, as seen twice already in the case of the Safe Harbour and the Privacy Shield for personal data transfers to the United States.

Setting the Context

Following the end of the Brexit transition period on 31 December 2020, transfers of personal data from the EEA to the UK have been freely permitted by virtue of a six-month additional transition period provided for in the EU-UK Trade and Cooperation Agreement (see our alert here for further details). Once the transition period ends on 30 June 2021, transfers of personal data from the EEA to the UK will be subject to rules contained in Chapter 5 of the EU General Data Protection Regulation (“GDPR“).

The simplest solution for businesses to transfer personal data freely between the EEA and the UK would be the adoption by the European Commission of a UK adequacy decision, whereby the European Commission determines that the data protection laws of the UK are adequate to those under EU law. Should the UK receive an adequacy decision, subject to any conditions of that decision, personal data would be permitted to flow freely from the EEA to the UK without the need to deploy any further measures to legally effect the transfer.

Whereas the UK has already determined that UK personal data can flow freely to the EEA without the need for further measures, the European Commission’s decision to commence the formal procedure to adopt two adequacy decisions for the UK in February 2021 signalled a positive development for organisations that rely on EEA to UK cross-border data flows. The Opinions now presented by the EDPB are a step in the process towards adoption of the formal UK adequacy decisions.

Specifically, the Opinions are in response to the European Commission’s draft adequacy decisions concerning:

  1. the adequacy of protection of personal data in the UK pursuant to the GDPR (Opinion 14/2021) (“First Opinion“); and
  2. the adequacy of protection of personal data in the UK pursuant to the EU Law Enforcement Directive (EU) 2016/680, which covers processing of personal data by authorities for the prevention, investigation and prosecution of criminal offences (“LED“) (Opinion 15/2021) (“Second Opinion“).

First Opinion

In its First Opinion, the EDPB outlined that the GDPR had been mostly mirrored by the UK in its domestic data protection framework. For instance, the EDPB draws attention to the alignment on certain core data protection provisions, such as grounds for lawful and fair processing for legitimate purposes, purpose limitation, data quality and proportionality, data retention, security and confidentiality, transparency, special categories of data, direct marketing and automated decision making and profiling.

The EDPB also identified a number of challenges which the EDPB recommends and invites the European Commission to further assess and address. Such challenges include:

  1. Risks to transferred EEA personal data in light of UK Government indications to develop  separate and independent policies which could cause divergence between the UK and EU data protection frameworks.
  2. The “immigration exemption” contained in Schedule 2 of the UK Data Protection Act 2018.
  3. Onward transfers of EEA personal data from the UK, which should only be permitted from the UK to third countries if the level of data protection in the importing third countries is also “essentially equivalent” to the GDPR. This might not be the case, for example, in the following situations:
    • where there are inconsistencies between the UK and European adequacy regimes (which currently mirror each other), for instance should the European Commission decide certain countries are no longer adequate from a European data protection perspective;
    • where future international agreements concluded between the UK and third countries may facilitate direct access to EEA personal by third countries’ authorities;
    • where UK legislation may provide for additional onward transfer tools in the future which do not align with EEA requirements, such as safeguards following the Schrems II decision (see our alert for further details); or
    • where the UK Information Commissioner’s Office interpretation of the derogations in Article 49 UK GDPR no longer aligns with those of the EDPB.
  4. Access to personal data by government authorities. The EDPB welcomes the existence of the Investigatory Powers Tribunal (“IPT“) and of Judicial Commissioners. However, the EDPB sees the need to further assess cases in which a lawful interception is possible without approval of the IPT or the Judicial Commissioners.

The EDPB welcomed the European Commission’s decision to include a sunset clause in the draft adequacy decision, setting its expiration date to four years after its entry into force. In addition to this and in light of the identified challenges, the EDPB invited the European Commission to monitor all relevant developments in the UK and suspend and/or amend the GDPR adequacy decision, if necessary.

Second Opinion

In the Second Opinion, the EDPB found that there is a “strong alignment” between the essence of the fundamental principles and the core provisions in the LED and in the UK legal framework. The EDPB has made a number of recommendations to the European Commission and the EDPB welcomed the European Commission’s decision to introduce the four-year sunset clause like in the case of the draft GDPR adequacy decision.

Similarly to the First Opinion, the EDPB advises the European Commission to closely monitor the developments regarding the UK data protection legislation and amend or suspend the LED adequacy decision, if necessary.

Next Steps

Given the depth and substance of the remarks of the EDPB, the European Commission may amend the draft adequacy decisions for the UK to address the EDPB’s concerns. While this may delay the adoption process, it is a positive development, given that the amended adequacy decisions should be more likely to withstand scrutiny by the Court of Justice of the European Union.

 

This article was originally published on AllAboutIP – Mayer Brown’s blog on relevant developments in the fields of intellectual property and unfair competition law.

Photo of Mark A. Prinsley Mark A. Prinsley

Mark Prinsley is a partner and heads the technology practice in the London office, and is a member of the firm’s Cybersecurity & Data Privacy practice. He concentrates on technology transactions, in particular IT projects and outsourcing.

A substantial element of Mark’s practice…

Mark Prinsley is a partner and heads the technology practice in the London office, and is a member of the firm’s Cybersecurity & Data Privacy practice. He concentrates on technology transactions, in particular IT projects and outsourcing.

A substantial element of Mark’s practice involves data protection issues and he has worked extensively for clients in the pensions and financial services sector designing and implementing GDPR compliant systems for the collection and processing of personal data by businesses and related sub-contractors, commercial transactions involving data sharing and reaction to data breach scenarios including managing data breach notifications. Recent projects Mark has worked on involving personal data include working for an automobile manufacturer implementing a connected vehicle programme globally, a supplier of facial recognition technology on methods of marketing that technology in Europe in compliance with data protection laws and for an insurtech business licensing technology and services to enable life insurers to underwrite life cover for diabetics using AI.

Read Mark’s full bio.

Read more about Mark A. PrinsleyEmail
Show more Show less
Photo of Oliver Yaros Oliver Yaros

Oliver Yaros is a partner in the Intellectual Property & IT Group as well as the Technology & IP Transactions and Cybersecurity & Data Privacy practices of the London office of Mayer Brown. He advises clients on technology and outsourcing transactions with a…

Oliver Yaros is a partner in the Intellectual Property & IT Group as well as the Technology & IP Transactions and Cybersecurity & Data Privacy practices of the London office of Mayer Brown. He advises clients on technology and outsourcing transactions with a particular focus on fintech and digital transformation projects, as well as clients operating within a broad range of sectors on data protection matters and cybersecurity incidents, intellectual property transactions and related issues.

Read Oliver’s full bio.

Read more about Oliver YarosEmail
Show more Show less
Photo of Dr. Ulrich Worm Dr. Ulrich Worm

Ulrich Worm is a partner in the Frankfurt office of Mayer Brown and heads the German Intellectual Property practice. His practice focuses on technology related advice.

Ulrich advises clients in IP related matters, including patent, trade secrets, design right, trademark and copyright matters…

Ulrich Worm is a partner in the Frankfurt office of Mayer Brown and heads the German Intellectual Property practice. His practice focuses on technology related advice.

Ulrich advises clients in IP related matters, including patent, trade secrets, design right, trademark and copyright matters as well as on licensing, co-operation and other technology transfer agreements. He represents clients in patent infringement and nullity proceedings and in trade secrets litigation cases before courts in Germany. In addition to litigating IP cases before German courts, he coordinates pan-European and cross-Atlantic litigation cases. Further to his IP litigation practice, Ulrich advises on patent related matters such as patent license and other technology transfer agreements and is experienced in fighting counterfeiting of patent, design right and trademark protected products.

His practice further covers IT-related matters, including advising on cloud services, software licensing agreements, SaaS agreements, software development projects, e-commerce, and related data protection and privacy questions.

Read Ulrich’s full bio.

Read more about Dr. Ulrich WormEmail
Show more Show less
Photo of Ana Hadnes Bruder Ana Hadnes Bruder

Ana Hadnes Bruder is a partner in Mayer Brown’s Frankfurt office and an active member of the global Cybersecurity & Data Privacy practice. She is also a member of the firm’s Intellectual Property practice. Ana advises clients on data privacy and cybersecurity matters…

Ana Hadnes Bruder is a partner in Mayer Brown’s Frankfurt office and an active member of the global Cybersecurity & Data Privacy practice. She is also a member of the firm’s Intellectual Property practice. Ana advises clients on data privacy and cybersecurity matters, including preparing for and reacting to cyber-attacks, assessing and making required data breach notifications, analyzing data protection implications of new products and tools and providing strategic advice with a focus on cross-border data processing. Ana further advises on Technology Transactions including cloud services, data and software licensing agreements, SaaS agreements, software development projects, e-commerce, and related Cybersecurity & Data Privacy questions.

Ana is a registered lawyer in Germany and Brazil and has ten years of international experience as legal counsel in Brazil, France and Germany. Ana started her career at Mayer Brown in the Dispute Resolution practice where she represented clients in litigation and arbitration proceedings involving complex commercial, intellectual property and liability matters.

Before joining Mayer Brown, Ana gained experience representing foreign clients in judicial proceedings in Brazil and also worked as in-house counsel for a leading French company in Paris.

Read full bio

Read more about Ana Hadnes BruderEmail
Show more Show less
Photo of Reece Randall Reece Randall
Read more about Reece RandallEmail
  • Posted in:
    Privacy and Cybersecurity
  • Blog:
    All About IP
  • Organization:
    Mayer Brown

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo