Date Published 22/03/2022
UK deemed Equivalent for GDPR
On 11 October 2021 the two European Commission adequacy decisions relating to transfers of personal data to the UK were published in the Official Journal. These reflected decisions which had been adopted in June 2021 and which had concluded that the UK ensures an essentially equivalent level of protection to that guaranteed under (a) the General Data Protection Regulation (Regulation (EU) 2016/679) and (b) the Law Enforcement Directive (Directive (EU) 2016/680), respectively. This determination was arrived at following assessment by the European Commission. Both of these adequacy decisions contain a so called “sunset clause” which limits the duration of adequacy to four years but for the moment personal data can now flow freely from the European Union to the UK. Following the expiration of the sunset clause the level of protection in the UK will again be assessed for adequacy and the finding may then be renewed. Copies of the relevant decisions are available upon request.
From a fund perspective, the Central Bank of Ireland has stated in its recently released Securities Markets Risk Outlook Report that both data and cyber security as well as related operational resilience (which has also just been the subject of a consultation paper (CP 140)) are to be key areas of its focus for 2022. However it is important to note that data protection specifically is also subject to the remit of the Data Protection Commissioner in Ireland. As the €225 million find issued to WhatApp in September 2021 and the €17 million fine issued to Meta (formerly Facebook) in March 2022 illustrate, this is a supervisory authority with significant powers. Accordingly regulated businesses operating in the sector should take particular care to ensure compliance with related provisions – or face the prospect of potential sanction from two separate regulatory bodies.