Towards an adequate level of personal data protection – Adequacy decisions adopted by the European Commission
On February 19, 2021, the European Commission published two draft adequacy decisions for the United Kingdom (UK) and initiated their adoption procedure. Following the approval of the EU Member States’ representatives in the commonly named comitology procedure, the European Commission has adopted the two following adequacy decisions on June 28, 2021:
- Decision on the adequate protection of personal data by the United Kingdom – General Data Protection Regulation;
- Decision on the adequate protection of personal data by the United Kingdom: Law Enforcement Directive.
This entails that personal data can now circulate freely from the European Union (EU) to the UK, where the equivalent level of data protection is guaranteed under EU law. The adequacy decisions will also ease the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information (European Commission, 2021a). This comes to support the fact that the EU has the highest personal data protection standards, and this must also be reflected when such data is transferred outside its borders.
Main takeaways from the adequacy decisions:
- The UK’s data protection system will still be based on the same rules that were applicable when the UK was part of the EU. The principles, rights and obligations of the GDPR, and the Law Enforcement Directive into its post-Brexit legal system have been fully incorporated by the UK;
- The UK system provides for strong safeguards against access to personal data by public authorities in the UK, particularly for national security reasons. As an example, the collection of data by intelligence authorities is, generally, subject to prior authorization by an independent judicial body. Any measure needs to be necessary and proportionate to its purpose;
- The adequacy decisions include a so-called ‘sunset clause’, which strictly limits their duration. Consequently, the decisions will automatically expire four years after their entry into force. Following the 4-year period, the adequacy findings can be renewed, with the condition that the UK continues to ensure an adequate level of data protection (European Commission, 2021a).
Data transfers are essential for international trade, and this has come as a breath of fresh air for businesses located in both the EU and the UK.
Contact us in case of any queries!
Bianca Sofian
VIP Department
15/07/2021
References:
European Commission. (2021a). Data protection: Commission adopts adequacy decisions for the UK. Retrieved on 15/07/2021 from https://ec.europa.eu/commission/presscorner/detail/en/ip_21_3183
European Commission. (2021b.). COMMISSION IMPLEMENTING DECISION of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom.
European Commission. (2021c). COMMISSION IMPLEMENTING DECISION of 28.6.2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom.
European Commission. (2021d). When does comitology apply? EC. Retrieved on 15/07/2021 from https://ec.europa.eu/info/law/law-making-process/adopting-eu-law/implementing-and-delegated-acts/comitology_en