22 February 2021
Despite the fact that its data protection rules largely mirrored the EU’s own General Data Protection Regulation (GDPR), when the UK came out of the transition period on 1 January 2021, it was no longer recognised by the EU has having “adequacy” in this regard.
The European Commission has the power to determine, on the basis of Regulation (EU) 2016/679, whether a country outside the EU (a third country) offers an adequate level of data protection.
During the discussions with the UK leading up to the announcement of an agreement on Christmas Eve, this part of the negotiations had not been completed as the UK reverted to third country status.
However, the European Commission had committed to continue to examine the situation and has now confirmed that it has prepared two adequacy Decisions for transfers of personal data to the UK, one under the GDPR and the other for the Law Enforcement Directive.
This second item of legislation has the rather unwieldy title of Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
The proposed Commission Decision covering this directive can be found at https://ec.europa.eu/info/sites/info/files/draft_decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_law_enforcement_directive_19_feb_2020.pdf; the draft GDPR Decision is available at https://ec.europa.eu/info/sites/info/files/draft_decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_19_feb_2020.pdf.
Justice Commissioner Didier Reynders said: “A flow of secure data between the EU and the UK is crucial to maintain close trade ties and co-operate effectively in the fight against crime. Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the UK after it has left the EU”.
It is essential, he went on, that the adequacy findings are future proof now that the UK will no longer be bound by EU privacy rules. Therefore, once these draft Decisions are adopted they will be valid for a first period of four years which will be extendable “if the level of protection in the UK continues to be adequate”.
The Commission will now seek an opinion on its draft legislation from the European Data Protection Board (EDPB) before putting the matter to the Member States for approval.
During this period, data flows between the European Economic Area (EEA) and the UK are protected by a conditional interim regime that expires on 30 June 2021.
These latest moves have been welcomed by the British Chambers of Commerce (BCC).
BCC Co-Executive Director Hannah Essex said: “With the free flow of data critical to their operations, businesses will be greatly relieved at the granting of data adequacy which removes a costly cliff edge at a time when many are already struggling due to the pandemic and post-Brexit trading conditions”.