Last reviewed 29 June 2021

We reported last week that the European Commission was likely to confirm that the data protection regime in the UK offers an equivalent level of protection to that afforded under EU law (see Good news from the EU on data protection).

Earlier than expected, the Commission has confirmed that it has adopted legal decisions formally recognising the UK’s data protection standards and allowing the continued flow of personal data from the EU and wider European Economic Area (EEA) to the UK.

The Department for Digital, Culture, Media & Sport (DCMS) has explained that the decisions mean that UK businesses and organisations can continue to receive personal data from the EU and EEA without having to put additional arrangements in place with their European counterparts.

Secretary of State for Digital, Oliver Dowden, said: “This will be welcome news to businesses, support continued cooperation between the UK and the EU and help law enforcement authorities keep people safe.”

The Government plans to promote the free flow of personal data globally and across borders, he went on, including through ambitious new trade deals and through new data adequacy agreements with some of the fastest growing economies, while ensuring people’s data continues to be protected to a high standard.

The Commission decisions will expire after four years with renewal dependent on the UK maintaining comparable privacy standards. They also include provision for changes to be made if the UK is seen to have made significant revisions to its data protection regime.

The EU decisions have been adopted under the General Data Protection Regulation (2016/679) and under the Law Enforcement Directive (2016/680).

The GDPR one can be found at and the LED one at

EU Commissioner for Justice, Didier Reynders, said: “The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed.”