Data protection: European Commission launches process on personal data flows to UKCommission, IP/21/661, 19 February 2021
Compared to other non-EU countries where convergence is developed through the adequacy process between often divergent systems, EU law has shaped the UK's data protection regime for decades. At the same time, it is essential that the adequacy findings are future proof now that the UK will no longer be bound by EU privacy rules. Therefore, once these draft decisions are adopted they would be valid for a first period of four years. After four years, it would be possible to renew the adequacy finding if the level of protection in the UK would continue to be adequate.
Until then data flows between the European Economic Area and the UK continue and remain safe thanks to a conditional interim regime that was agreed in the EU-UK Trade and Cooperation Agreement. This interim period expires on 30 June 2021.
After taking the opinion of the European Data Protection Board into account, the European Commission will request the green light from Member States' representatives in the so-called comitology procedure. Following that, the European Commission could adopt the final adequacy decisions for the UK.
Articles 45(3) of the GDPR and Article 36(3) of the Law Enforcement Directive grant the Commission the power to decide, by means of an implementing act, that a non-EU country ensures "an adequate level of protection", i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. If a non-EU country has been found "adequate", transfers of personal data from the EU to the respective non-EU country can take place without being subject to any further conditions.
In the UK, the processing of data is governed by the so-called "UK GDPR" and the Data Protection Act 2018, which are based on the EU GDPR and the LED. They provide similar safeguards, individual rights, obligations for controllers and processors, rules on international transfers, supervision system and redress avenues to those available under EU law. The draft decisions also include a detailed assessment of the conditions and limitations as well as the oversight mechanisms and remedies applicable in case of access to data by UK public authorities, in particular for law enforcement and national security purposes.
It is also worth noting that the UK is - and has committed to remain - party to the European Convention of Human Rights and to "Convention 108" of the Council of Europe, the only binding multilateral instrument on data protection. This means that, while it has left the EU, the UK remains a member of the European "privacy family". Continued adherence to such international conventions is of particular importance for the stability and durability of the proposed adequacy findings.
The draft adequacy decisions sent to the EDPB today concern the flow of data from the EU to the UK. Data flows in the other direction - from the UK to the EU - are regulated by UK legislation, which applies since 1 January 2021. The UK decided that the EU ensures an adequate level of protection and that therefore data can flow freely from the UK to the EU.
"Data protection: European Commission launches process on personal data flows to UK", IP/21/661, Press Release, 19 February 2021