Handley Gill
LEGAL, REGULATORY & COMPLIANCE CONSULTANTS

UK Adequacy Regulations

 UK Adequacy Regulations

World map depicting countries subject to UK adequacy regulations for restricted international data transfers under the UK GDPR

Map showing third countries designated by UK adequacy regulations as offering an adequate level of protection of personal data

By virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, Schedule 2, which inserted a new Schedule 21 into the Data Protection Act 2018, the following countries and institutions were identified at Part 3 paragraph 5 as being the subject of adequacy regulations by the UK for ex-UK restricted international data transfers:

an EEA state;

Gibraltar;

a Union institution, body, office or agency set up by, or on the basis of, the Treaty on the European Union, the Treaty on the Functioning of the European Union or the Euratom Treaty;

an equivalent institution, body, office or agency set up by, or on the basis of, the Treaties establishing the European Economic Area;

Switzerland;

Canada (in so far as the recipient is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA));

Argentina;

Guernsey;

Isle of Man;

Jersey;

Andorra;

Israel;

Uruguay;

New Zealand; and,

Japan (in so far as the data is subject to the Act on the Protection of Personal Information).

On 21 November 2022, the Secretary of State made The Data Protection (Adequacy) (Republic of Korea) Regulations 2022 (SI 2022/1213), which take effect from 19 December 2022, and which render transfers to individuals/entities subject to the Personal Information Protection Act in the Republic of Korea adequate.

On 21 September 2023, the Secretary of State made The Data Protection (Adequacy) (United States of America) Regulations 2023 (SI 2023/1028), which take effect from 12 October 2023, and which render transfers to individuals/entities self-certified to the Trans-Atlantic EU-US Data Privacy Framework and its UK extension adequate.

Featured
UK-US data bridge open for traffic
UK-US data bridge open for traffic

Handley Gill’s specialist data protection consultants consider the implications of The Data Protection (Adequacy) (United States of America) Regulations 2023 (SI 2023/1028) for data exporters subject to the UK GDPR conducting personal data transfers from the UK to the USA and what action should be taken.  

Freedom from the tyranny of supplementary measures
Freedom from the tyranny of supplementary measures

Handley Gill Limited’s specialist data protection consultants consider the impact of the European Commission’s adequacy decision in respect of the Trans-Atlantic EU-US Data Privacy Framework and the steps controllers and processors should take in relation to transfers of personal data from the EEA and UK to the USA.

A bridge to nowhere?
A bridge to nowhere?

A commitment to establishing a UK-US data bridge, which would take the form of adequacy regulations being issued by the Secretary of State pursuant to section 17A Data Protection Act 2018, has been announced. Since this bridge is likely to be contingent on the European Commission issuing its own adequacy decision, and the draft has recently been rejected by the European Parliament, data exporters will be reliant on the Commission ramming through the roadblock or will find themselves stuck in traffic on the UK-US data flyover.