Why is UK adequacy relevant for the UK post-Brexit?
As the Data Protection Directive (95/46/EC) did 20 years earlier, the EU General Data Protection Regulation (2016/679) (EU GDPR) sets a severe restriction in the context of today’s increasingly interconnected and digitally borderless world. Transfers of personal data to a so-called “third country”, that is any country outside the European Economic Area (EEA), are only allowed subject to certain conditions, namely:
- The third country ensures an adequate level of protection for the personal data as determined by the European Commission (EC);
- In the absence of that adequate level of protection, the provision of appropriate safeguards (like Standard Contractual Clauses or Binding Corporate Rules (BCRs)); or
- In the absence of the foregoing, the international transfer of personal data fits within one of the derogations for specific situations covered by the EU GDPR.