Data Protection


Data Protection Updates

European Union (EU) Commission’s announcement on the approval of the United Kingdom’s (UK) adequacy

On 28 June the EU Commission announced that a General Data Protection Regulation adequacy decision for the UK has been approved.

The decision means that the EU has determined the UK to have adequate data protection laws to allow personal data to safely flow from the EU (and European Economic Area (EEA)) to the UK.The adequacy decision is for four years but may be revoked or revised without the need to engage with the UK.The decisions mean personal data can continue to flow freely from the EU to the UK without the need for businesses to put additional arrangements in place. such as Standard Contractual Clauses as long as UK and EEA businesses are observing their respective data protection frameworks.

Further information (external links):

European Commission: Commission adopts adequacy decisions for the UK

UK Government: EU adopts ‘adequacy’ decisions allowing data to continue flowing freely to the UK

Information Commissioner’s Office (ICO): ICO statement in response to the EU Commission’s announcement on the approval of the UK’s adequacy 

The EU - U.S. Privacy Shield is no longer valid

The European Court of Justice has invalidated the EU - U.S. Privacy Shield: Schrems II case, that allowed the transfer of personal data between the two regions, stating that personal data protection and its judicial protection in the U.S. is not in keeping with requirements of EU law.

This will affect any future contracts determining whether data can be transferred to a U.S. based company. UCL has produced a short guidance note based on the initial impact of this decision.  If you have any queries surrounding this issue after reading our guidelines, please contact the data protection office before doing so on: data-protection@ucl.ac.uk.