Data protection: European Commission launches process on personal data flows to UK
Today, the Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation and the other for the Law Enforcement Directive. The publication of the draft decisions is the beginning of a process towards their adoption. This involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure will have been completed, the Commission could proceed to adopt the two adequacy decisions.
Over the past months, the Commission has carefully assessed the UK’s law and practice on personal data protection, including the rules on access to data by public authorities. It concludes that the UK ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulation (GDPR) and, for the first time, under the Law Enforcement Directive (LED).
Věra Jourová, Vice-President for Values and Transparency, said: “Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel. The UK has left the EU, but not the European privacy family. At the same time, we should ensure that our decision will stand the test of time. This is why we included clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development of the UK system after the adequacy would be granted.”
Didier Reynders, Commissioner for Justice, said: “A flow of secure data between the EU and the UK is crucial to maintain close trade ties and cooperate effectively in the fight against crime. Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the UK after it has left the EU. Now European Data Protection Authorities will thoroughly examine the draft texts. EU citizens’ fundamental right to data protection must never be compromised when personal data travel across the Channel. The adequacy decisions, once adopted, would ensure just that.”
Compared to other non-EU countries where convergence is developed through the adequacy process between often divergent systems, EU law has shaped the UK’s data protection regime for decades. At the same time, it is essential that the adequacy findings are future proof now that the UK will no longer be bound by EU privacy rules. Therefore, once these draft decisions are adopted they would be valid for a first period of four years. After four years, it would be possible to renew the adequacy finding if the level of protection in the UK would continue to be adequate.
Until then data flows between the European Economic Area and the UK continue and remain safe thanks to a conditional interim regime that was agreed in the EU-UK Trade and Cooperation Agreement. This interim period expires on 30 June 2021.
After taking the opinion of the European Data Protection Board into account, the European Commission will request the green light from Member States’ representatives in the so-called comitology procedure. Following that, the European Commission could adopt the final adequacy decisions for the UK.
Articles 45(3) of the GDPR and Article 36(3) of the Law Enforcement Directive grant the Commission the power to decide, by means of an implementing act, that a non-EU country ensures “an adequate level of protection”, i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. If a non-EU country has been found “adequate”, transfers of personal data from the EU to the respective non-EU country can take place without being subject to any further conditions.
In the UK, the processing of data is governed by the so-called “UK GDPR” and the Data Protection Act 2018, which are based on the EU GDPR and the LED. They provide similar safeguards, individual rights, obligations for controllers and processors, rules on international transfers, supervision system and redress avenues to those available under EU law. The draft decisions also include a detailed assessment of the conditions and limitations as well as the oversight mechanisms and remedies applicable in case of access to data by UK public authorities, in particular for law enforcement and national security purposes.
It also worth noting that the UK is – and has committed to remain – party to the European Convention of Human Rights and to “Convention 108” of the Council of Europe, the only binding multilateral instrument on data protection. This means that, while it has left the EU, the UK remains a member of the European “privacy family”. Continued adherence to such international conventions is of particular importance for the stability and durability of the proposed adequacy findings.
The draft adequacy decisions sent to the EDPB today concern the flow of data from the EU to the UK. Data flows in the other direction – from the UK to the EU – are regulated by UK legislation, which applies since 1 January 2021. The UK decided that the EU ensures an adequate level of protection and that therefore data can flow freely from the UK to the EU.