You may recall that the basic position under Articles 44 onwards of the GDPR is that personal data may not be transferred or processed outside the EU to third countries unless a derogation or adequacy or appropriate safe guards apply.
Following the UK's exit from the EU on 31 January 2020, the UK became a third country. The UK-EU Trade and Cooperation Agreement established a temporary framework to allow personal data to continue flowing freely between the EU and UK for business and law enforcement purposes during a temporary period until 30 June 2021.
With this temporary bridging mechanism due to expire on 30 June 2021, the UK submitted an application and overview of its data protection legislation to the European Commission (EC) for review in March 2020, with a view to seeking a finding of adequacy. This sought to demonstrate the UK's commitment to providing an equivalent level of protection for data subjects following its departure from the EU. Without an adequacy finding, certainly in the arena of commercial data, parties would need to rely on other mechanisms such as derogations, consent or use Standard Contractual Clauses (SCCs).
The EC has now published in draft two positive draft adequacy decisions, confirming that the UK's existing data protection regime under the General Data Protection Regulation and Law Enforcement Directive as retained by the UK Data Protection Act 2018 does provide an essentially equivalent level of protection for EU data subjects. These draft decisions will face further reviews by the EU Data Protection Authorities and European Data Protection Board before they are formally submitted to EU member states for approval and adoption, and once in force can apply for a four-year period before falling due for reassessment. This first step towards finding the UK's existing framework may be adequate comes as welcome news for UK law, the public and national security authorities.
Whilst the EC's draft decisions support the UK's independent legislative position, they also provide detailed commentary regarding the conditions, limitations and oversight mechanisms applicable to transborder data flows. The UK will also continue to face a high level of scrutiny particularly in relation to law enforcement, the European Convention of Human Rights and the Council of Europe's personal data processing Convention 108. This will have a significant bearing as the EC will bear in mind any changes made to these that under UK law enforcement bodies and businesses may be required to comply with as continuing international obligations, in order for the UK to benefit from a free flow of personal data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.