Last month, the European Commission launched the process for two adequacy decisions for data transfers to the UK – one under the GDPR and one under the Law Enforcement Directive.
The European Commission recently published two draft adequacy decisions for data transfers to the UK. One of those is under the GDPR and the other under the Law Enforcement Directive or LED. This is the first step in adopting those adequacy decisions. The next steps in this process would be to obtain an opinion from the EDPB and subsequently, get approval from a committee of representatives from the EU Member States. Once this is done these decisions can be adopted.
Under Article 45(3) of the GDPR and Article 36(3) of the Law Enforcement Directive, the Commission has the power to decide that a non-EU country fulfills the requirements for an adequate level of protection for personal data flows with the EU. If the European Commission has deemed a country “adequate”, personal data transfers can be made between EU Member States and that country without being subject to any further conditions. Currently personal data transfers in the UK are governed by the UK GDPR and the DPA, which are very similar to the EU GDPR & the LED.
The Commission feels confident that data transfers to the UK will be adequately protected under their equivalent laws.
The Commission has spent several months prior to drafting these decisions, studying the UK’s laws on data transfers. From this, came the conclusion that the UK’s equivalent laws to the GDPR and LED give data transfers a similar level of protection. As a result, The Commission believes that data transfers to the UK from the EU will indeed be adequately protected under their equivalent laws. Didier Reynders, Commissioner for Justice said in a statement, “EU citizens’ fundamental right to data protection must never be compromised when personal data travels across the Channel. The adequacy decisions, once adopted, would ensure just that.”
UK data protection regime has been heavily influenced by EU law for decades, making this a very easy adequacy process.
In most adequacy decisions the systems in place are often divergent making the adequacy process one that converges the two. However, in this case the UK has had a data protection regime modeled after that of the EU for decades now. Regardless, this process is essential now that the UK is no longer under EU data protection laws. Once the draft adequacy decisions have been adopted they will remain in place for four years. After this four year period, it will be possible to renew these decisions once the level of protection for data transfers between the EU and UK have proven to be, and are likely to continue to be adequate.
Personal data transfers between the UK and the EU are currently protected during this interim period by the EU-UK Trade and Cooperation Agreement.
On January 1, 2021 an interim period began during which the UK, while no longer under EU law, continues to enjoy lawful and seamless data transfers under the EU-UK Trade and Cooperation Agreement, until June 30, 2021. Now that these initial steps in adopting adequacy decisions for data transfers to the UK, the European Commission awaits the opinion of the EDPB regarding this draft decision. Once this opinion has been taken into account, the so-called comitology procedure will ensue, during which the Commission will request approval from representatives of the EU member states in order to finalize adequacy for personal data transfers to the UK.