On 28 June 2021, the European Commission adopted two adequacy decisions relating to the protection of personal data by the United Kingdom (UK), one in relation to the EU General Data Protection Regulation 2016/679 (GDPR) and the other in relation to the EU Law Enforcement Directive 2016/680.
With the adoption of the adequacy decisions, personal data can now flow freely between the EU and the UK since the UK regime provides for an equivalent level of protection to that guaranteed under EU law. The adequacy decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information, for example for cooperation on judicial matters. The adequacy decision is also likely to bring a sigh of relief to various European businesses which may have data exchange arrangements with the EU and which are working to mitigate the impact of Brexit on their operations.
In issuing the adequacy decisions the Commission carefully assessed the UK's law and practice on personal data protection, including the rules on access to data by public authorities in the UK. The Commission has been in close contact with the European Data Protection Board (which gave its own opinion on the matter on 13 April 2021), the European Parliament and the Member States.
The key elements of the adequacy decisions are the following:
- The UK's data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
- With respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards. The UK is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is the only binding international treaty in the area of data protection.
- For the first time, the adequacy decisions include a so-called ‘sunset clause', which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection.
- Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area.
The two adequacy decisions entered into force as of 28 June 2021.
The press release and the relevant documentation can be found here.