The European Commission has published two draft adequacy decisions for transfers of personal data from the EU to the UK post-Brexit. One decision covers data transferred under the General Data Protection Regulation (GDPR) and the other relates to the Law Enforcement Directive (LED).
In the UK, the processing of data is now governed by the “UK GDPR” and the Data Protection Act 2018, which are based on the EU GDPR and the LED. They provide similar safeguards, individual rights, obligations for controllers and processors, rules on international transfers, supervision system and redress avenues to those available under EU law. The UK has already decided that the EU ensures an adequate level of protection so data can flow freely from the UK to the EU in terms of domestic legislation. The draft adequacy decisions concern the flow of data from the EU to the UK.
Having carefully assessed the UK's law and practice on personal data protection, the European Commission has concluded that the level of protection the UK ensures is essentially equivalent to that guaranteed under the GDPR and the LED, hence the draft decisions to this effect.
Publishing the draft decisions is the first step in the process towards their adoption. The next step is to obtain an opinion from the European Data Protection Board and then to seek agreement from a committee of representatives of the EU Member States.
Once these draft decisions are adopted, they will be valid for an initial period of four years. After four years, it would be possible for the European Commission to renew the adequacy finding if the level of protection in the UK continues to be adequate.
Until the decisions are adopted, data continues to flow safely between the European Economic Area and the UK under the conditional interim regime that was agreed in the EU-UK Trade and Cooperation Agreement. This interim period expires on 30 June 2021. Subject to approval by the EU Member States, it is anticipated that the adequacy decisions will be adopted before this deadline passes but organisations who rely on the transfer of data from the EU are advised to have an alternative process in place, such as the Standard Contractual Clauses, to safeguard against any potential disruption to data flow.
Get in touch - we're here to help
If you have any particular concerns regarding data protection compliance during this time, please contact a member of our team.