Flows of personal data from the EU to the UK will continue, after the European Commission adopted two “data adequacy” decisions.
The decisions include a sunset clause, which runs out after four years.
They will be renewed only if the UK ensures an adequate level of data protection, the commission said.
UK firms had been facing making costly alternative plans with EU counterparts to keep data flowing once a post-Brexit transition period expires this month.
The agreement also covers data from countries in the wider European Economic Area.
Didier Reynders, Commissioner for Justice, said the adequacy agreement was, “important for smooth trade and the effective fight against crime”.
Welcoming the decision, the UK government said it “plans to promote the free flow of personal data globally and across borders”.
“All future decisions will be based on what maximises innovation and keeps up with evolving tech,” it added.
John Foster, CBI director of policy, called the agreement a breakthrough. “The free flow of data is the bedrock of the modern economy and essential for firms across all sectors,” he wrote.
No deviation
The commission said in a press release that it reached its decision in part because: “The UK’s data protection system continues to be based on the same rules that were applicable when the UK was a member state of the EU.”
However, it added that it would “intervene” at any point if the UK deviates from the level of protection presently in place.
Some UK politicians have recently argued for changes to UK data protection law.
A report, commissioned by the prime minister, from The Taskforce on Innovation, Growth and Regulatory Reform chaired by Sir Iain Duncan Smith, said: “GDPR is already out of date and needs to be revised for AI and growth sectors if we want to enable innovation in the UK.”
The EU excluded from the adequacy agreements transfers of data to be used for “immigration control”.
A recent Court of Appeal ruling found that some UK data rules relating to immigration were incompatible with GDPR.