The first step for the adoption of the adequacy decisions for transfers of personal data from the EU to the United Kingdom has been taken: the European Commission has published two draft decisions, one under the General Data Protection Regulation (GDPR) and the second one under the Law Enforcement Directive (LED).
The European Commission has thoughtfully assessed the UK’s law and practice on personal data protection and concluded that the level of protection guaranteed in the UK is fundamentally equivalent to that of the EU, ensured under both the GDPR and the LED.
What steps should be taken next?
After obtaining an opinion from the European Data Protection Board, the European Commission will call for the approval of Member States’ representatives in the commonly named comitology procedure. Subsequent to this procedure, the Commission will adopt the two adequacy decisions.
The adopted decisions would be valid for an initial period of four years. The renewal of the adequacy finding would be possible provided that the level of protection in the UK remains adequate.
Article 45(3) of the GDPR and Article 36(3) of the LED lay the basis for the adopted approach, empowering the Commission to decide that a non-EU country guarantees an ‘adequate level of protection’ i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. Therefore, if a non-EU country is assessed as adequate and, accordingly, its level of protection is essentially equivalent to that of the EU, transfers of personal data can be performed without further conditions.
Since the UK is no longer committed to the European privacy legislation, while remaining a party of? the binding Convention 108, the future proof of the adequacy decisions becomes vital. Quoting the Commissioner for Justice Reynders’ words (2021), “EU citizens’ fundamental right to data protection must never be compromised when personal data travel across the Channel. The adequacy decisions, once adopted, would ensure just that”.
Finally, the European Commission (2021) recalled that “Data flows in the other direction – from the UK to the EU – are regulated by UK legislation, which applies since 1 January 2021. The UK decided that the EU ensures an adequate level of protection and that therefore data can flow freely from the UK to the EU”.
21/04/2021
Leyre Carrasco Alonso – Regulatory Affairs Department
Would you like to know more? Contact us today!
References:
- European Parliament and Council. (2016a). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Eur-Lex. Retrieved on 20/04/2021 from https://eur-lex.europa.eu/eli/reg/2016/679/oj
- European Parliament and Council. (2016b). Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of persona data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. Eur-Lex. Retrieved on 20/04/2021 from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016L0680
- European Commission. (2020). A new circular economy action plan. Eur-lex. Retrieved on
- European Commission. (2021a). Data protection: European Commission launches process on personal data flows to UK. EC. Retrieved on 16/04/2021 from https://ec.europa.eu/commission/presscorner/detail/en/ip_21_661?utm_source=MedTech%20Europe%20-%20Master%20List&utm_campaign=5740225783-EMAIL_CAMPAIGN_2019_09_27_02_37_COPY_01&utm_medium=email&utm_term=0_4f80bb191
- European Commission. (2021b). Draft decision on the adequate protection of personal data by the United Kingdom – General Data Protection Regulation. EC. Retrieved on 16/04/2021 from https://ec.europa.eu/info/files/draft-decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en
- European Commission. (2021c). Draft decision on the adequate protection of persona data by the United Kingdom: Law Enforcement Directive. EC. Retrieved on 16/04/2021 from https://ec.europa.eu/info/files/draft-decision-adequate-protection-personal-data-united-kingdom-law-enforcement-directive_en
- European Commission. When does comitology apply? EC. Retrieved on 20/04/2021 from https://ec.europa.eu/info/law/law-making-process/adopting-eu-law/implementing-and-delegated-acts/comitology_en