What's new with personal data transfers to the UK
On 19 February 2021, the European Commission released two draft adequacy decisions, which, if adopted, will allow personal data transfers from the EU to the UK as if such transfers took place in the EU. One draft decision covers data transfers under the GDPR and the other (as a first) under the Law Enforcement Directive1.
What is the background?
Both draft decisions have been proposed in the context of Brexit and the deal on an EU-UK Trade and Cooperation Agreement ("TCA"). As a reminder, the data protection provisions of the TCA (text available here) provides for a temporary period (until 30 April 2021 extendable once until 30 June 2021) during which transfers made to the UK will not be considered as transfers within the meaning of the laws of the EU. These temporary provisions will also end if and when the UK is granted an adequacy decision (please read our related article here).
What's in the draft adequacy decisions?
The draft decisions are the result of the EU Commission assessing UK law and practice on the processing of personal data, including access by public authorities. They conclude that, considering notably the application of the UK Data Protection Act 2018 ("DPA"), as amended to incorporate the principles of the GDPR (the so-called "UK GDPR"), adhesion to the Council of Europe's Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (and Protocol 108+) and submission to the European Court of Human Rights, the UK ensures an essentially equivalent level of data protection as in the EU.
What would be the validity period of the adequacy decisions if adopted?
As a first, the EU Commission proposed that the adequacy decisions, if adopted, will expire 4 years after their entry into force, after which they can be further extended. This expiry date has been introduced to ensure that UK law on data protection remains essentially equivalent to the EU law while the UK is covered by an adequacy decision.
The two draft adequacy decisions are in the process of obtaining an opinion from the European Data Protection Board. After that, they will be subject to the comitology procedure with a view to obtaining a green light from a committee of representatives of the Member States. Once agreed, the two decisions may be adopted by the EU Commission.
1. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.