- The European Commission adopted two "adequacy" decisions recognizing U.K. data protection laws as equivalent with EU laws.
- For the first time, the EU has included a "sunset clause" which means the decisions will expire four years after coming into force.
- If during that period the U.K. diverges significantly from the EU on data standards, the commission said it may intervene.
LONDON — The European Union on Monday recognized Britain's privacy rules as adequate with its own, a key move that will allow EU-U.K. data flows to continue after Brexit.
The European Commission, the EU's executive arm, said the decision meant EU citizens' personal information would be treated with the same level of protection as it would inside the bloc when transferred to the U.K.
Businesses had worried that Britain and the EU wouldn't come to an agreement on data equivalence, potentially putting billions of dollars' worth of digital trade in jeopardy.
When the two sides agreed a post-Brexit trade deal in December, this did not include an agreement on EU-U.K. data adequacy. Instead, they introduced a temporary, six-month solution to keep cross-border data flowing. The U.K. has already recognized EU member states' data policies as adequate.
On Monday, the commission adopted two "adequacy" decisions, recognizing U.K. data protection laws as equivalent with EU laws including the General Data Protection Regulation — strict privacy reforms that were introduced in 2018 — and an older law on the processing of data connected with criminal offences.
But for the first time, the EU has included a "sunset clause" which means the decisions will expire four years after coming into force. If during that period the U.K. diverges significantly from the EU on data standards, the commission said it may intervene.
"The U.K. has left the EU but today its legal regime of protecting personal data is as it was," said Věra Jourová, vice-president for values and transparency at the European Commission
"At the same time, we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the U.K.'s privacy framework," she added.
Oliver Dowden, Britain's secretary of state for digital, said: "After more than a year of constructive talks it is right the European Union has formally recognised the U.K.'s high data protection standards."
"This will be welcome news to businesses, support continued cooperation between the U.K. and the EU and help law enforcement authorities keep people safe," he added.
The government said it is now plotting further trade deals and data adequacy agreements with other countries.
"The U.K. must also now move to complete the development of its own international data transfer regime in order to allow companies in the U.K. not just to exchange data with the EU, but also to be able to access opportunities across the world," said Julian David, CEO of industry group techUK.