Data protection: European Commission launches process on personal data flows to UK

Data protection: European Commission launches process on personal data flows to UK

Today, 19th February 2021, the Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation and the other for the Law Enforcement Directive.

The publication of the draft decisions is the beginning of a process towards their adoption. This involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure will have been completed, the Commission could proceed to adopt the two adequacy decisions.

Over the past months, the Commission has carefully assessed the UK’s law and practice on personal data protection, including the rules on access to data by public authorities. It concludes that the UK ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulation (GDPR) and, for the first time, under the Law Enforcement Directive (LED).

Compared to other non-EU countries where convergence is developed through the adequacy process between often divergent systems, EU law has shaped the UK’s data protection regime for decades. At the same time, it is essential that the adequacy findings are future proof now that the UK will no longer be bound by EU privacy rules. Therefore, once these draft decisions are adopted they would be valid for a first period of four years. After four years, it would be possible to renew the adequacy finding if the level of protection in the UK would continue to be adequate.

Until then data flows between the European Economic Area and the UK continue and remain safe thanks to a conditional interim regime that was agreed in the EU-UK Trade and Cooperation Agreement. This interim period expires on 30 June 2021.

Next steps

After taking the opinion of the European Data Protection Board into account, the European Commission will request the green light from Member States’ representatives in the so-called comitology procedure. Following that, the European Commission could adopt the final adequacy decisions for the UK.

Background

Articles 45(3) of the GDPR and Article 36(3) of the Law Enforcement Directive grant the Commission the power to decide, by means of an implementing act, that a non-EU country ensures “an adequate level of protection”, i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU.

If a non-EU country has been found “adequate”, transfers of personal data from the EU to the respective non-EU country can take place without being subject to any further conditions.

In the UK, the processing of data is governed by the so-called “UK GDPR” and the Data Protection Act 2018, which are based on the EU GDPR and the LED.

They provide similar safeguards, individual rights, obligations for controllers and processors, rules on international transfers, supervision system and redress avenues to those available under EU law.

The draft decisions also include a detailed assessment of the conditions and limitations as well as the oversight mechanisms and remedies applicable in case of access to data by UK public authorities, in particular for law enforcement and national security purposes.

It also worth noting that the UK is – and has committed to remain – party to the European Convention of Human Rights and to “Convention 108” of the Council of Europe, the only binding multilateral instrument on data protection. This means that, while it has left the EU, the UK remains a member of the European “privacy family”. Continued adherence to such international conventions is of particular importance for the stability and durability of the proposed adequacy findings.

The draft adequacy decisions sent to the EDPB today concern the flow of data from the EU to the UK. Data flows in the other direction – from the UK to the EU – are regulated by UK legislation, which applies since 1 January 2021. The UK decided that the EU ensures an adequate level of protection and that therefore data can flow freely from the UK to the EU.

Commenting on the decision by the European Commission to grant the UK data adequacy, British Chambers of Commerce Co-Executive Director Hannah Essex said:

“With the free flow of data critical to their operations, businesses will be greatly relieved at the granting of data adequacy which removes a costly cliff edge at a time when many are already struggling due to the pandemic and post-Brexit trading conditions.

“However, it should not distract from the need to address the many practical difficulties that are currently stifling trade between us. More needs to be done to fix these problems otherwise many firms may simply give up on doing business with the EU.

“This should include pushing back the dates for introducing additional scientific checks on animal and plant goods from April and full customs checks on imports from July, and increasing the support available for businesses who need time to adapt to the new trading conditions.”

"Businesses will be greatly relieved at the granting of data adequacy which removes a costly cliff edge."

Share this news story:

Other News

22-11-2024
Hatch a plan with the Hatchery! 💡Lincoln’s newest meeting venue.

If you go down to the woods today, you’ll be in for a cracking surprise.

Read More
20-11-2024
Free training for East Lindsey businesses from PAB Sema4’s Global Gateway Programme thanks to the ...

PAB Sema4 has been allocated extra funding to support additional Lincolnshire businesses after the success of its Global Gate...

Read More

Join our ever-growing membership base

Become a member
Our Patrons