The European Union has embarked on a process towards the making of two 'adequacy decisions' for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation and the other for the Law Enforcement Directive. The General Data Protection Regulation calls for 'adequacy' rather than 'equivalence.'

The publication of two draft decisions is the beginning of a process towards their adoption as official. This involves the issuance of a favourable 'opinion' from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU's member-states. Once this procedure is complete, the European Commission - the nearest thing that the EU has to an executive branch - might proceed to adopt the two decisions. It has already concluded that the UK ensures an essentially equivalent level of protection to the one guaranteed by the GDPR and, for the first time, the LED.

Articles 45(3) of the GDPR and Article 36(3) of the Law Enforcement Directive grant the commission the power to decide, by means of an implementing Act, that a non-EU country ensures “an adequate level of protection,” i.e. enough protection for personal data in EU terms. If a non-EU country has been found to be adequate, transfers of personal data to it from the EU can take place without being subject to any further conditions.

In the UK, the processing of data is governed by the so-called “UK GDPR” and the Data Protection Act 2018, which are based on the EU's GDPR and the LED. Data flows from the UK to the EU – are regulated by British legislation which first applied on 1 January 2021. The UK has already decided that the EU protects data adequately and that therefore data can flow freely from the UK to the EU.