There is a further transition period of six months to enable the European Commission to update GDPR EU law and secure EU data flows to UK. As of 1 January 2021, transfers of personal data to the United Kingdom are governed by the EU-UK Trade and Cooperation Agreement (TCA). The Brexit Deal agreed by EU and UK negotiators on 24 December 2020 and is in order from 01 January 2021.
As of 1 January 2021, transfers of personal data to the United Kingdom are governed by the EU-UK Trade and Cooperation Agreement (TCA), agreed by EU and UK negotiators on 24 December 2020 and provisionally applicable since the first day of the year. The Trade and Cooperation Agreement provides for an interim regime (so-called ‘bridging clause’, enshrined in Article FINPROV.10A of the TCA) that ensures the full continuity of data flows between the EEA and the UK, with no need for companies and public authorities to put in place any transfer tool under the GDPR or the LED.
This solution is applicable for a period of maximum six months, and is conditional on the commitment by the UK not to change the data protection regime currently in place. In essence, this means that the UK must continue to apply the data protection rules, based on EU law, that were applicable during the transition period.
GDPR of personal data flows to the United Kingdom
On 19 February 2021, the Commission launched the procedure for the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) respectively. The publication of the draft decisions is the beginning of a process towards their adoption. This involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure will have been completed, the Commission will adopt the two adequacy decisions.
Over the past months, the Commission has carefully assessed the UK’s law and practice on personal data protection, including the rules on access to data by public authorities. It concludes that the UK ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulation (GDPR) and, for the first time, under the Law Enforcement Directive (LED).
Free and safe flow of personal data is crucial
Věra Jourová, Vice-President for Values and Transparency, said: “Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel. The UK has left the EU, but not the European privacy family. At the same time, we should ensure that our decision will stand the test of time. This is why we included clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development of the UK system after the adequacy would be granted.”
EU – UK GDPR is crucial
Didier Reynders, Commissioner for Justice, said: “A flow of secure data between the EU and the UK is crucial to maintain close trade ties and cooperate effectively in the fight against crime. Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the UK after it has left the EU. Now European Data Protection Authorities will thoroughly examine the draft texts. EU citizens’ fundamental right to data protection must never be compromised when personal data travel across the Channel. The adequacy decisions, once adopted, would ensure just that.”
Compared to other non-EU countries where convergence is developed through the adequacy process between often divergent systems, EU law has shaped the UK’s data protection regime for decades. At the same time, it is essential that the adequacy findings are future proof now that the UK will no longer be bound by EU privacy rules. Therefore, once these draft decisions are adopted they would be valid for a first period of four years. After four years, it would be possible to renew the adequacy finding if the level of protection in the UK would continue to be adequate.
Until then data flows between the European Economic Area and the UK continue and remain safe thanks to a conditional interim regime that was agreed in the EU-UK Trade and Cooperation Agreement. This interim period expires on 30 June 2021.
The European Commission will request the green light from Member States’ representatives in the so-called comitology procedure. Following that, the European Commission could adopt the final adequacy decisions for the UK.
European General Data Protection Regulation (GDPR)
Articles 45(3) of the GDPR and Article 36(3) of the Law Enforcement Directive grant the Commission the power to decide, by means of an implementing act, that a non-EU country ensures “an adequate level of protection”, i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. If a non-EU country has been found “adequate”, transfers of personal data from the EU to the respective non-EU country can take place without being subject to any further conditions.
GDPR on data flows to UK
In the UK, the processing of data is governed by the so-called “UK GDPR” and the Data Protection Act 2018, which are based on the EU GDPR and the LED. They provide similar safeguards, individual rights, obligations for controllers and processors, rules on international transfers, supervision system and redress avenues to those available under EU law. The draft decisions also include a detailed assessment of the conditions and limitations as well as the oversight mechanisms and remedies applicable in case of access to data by UK public authorities, in particular for law enforcement and national security purposes.
It also worth noting that the UK is – and has committed to remain – party to the European Convention of Human Rights and to “Convention 108” of the Council of Europe, the only binding multilateral instrument on data protection. This means that, while it has left the EU, the UK remains a member of the European “privacy family”. Continued adherence to such international conventions is of particular importance for the stability and durability of the proposed adequacy findings.
European Data Protection Board (EDPB) EU debates
The draft adequacy decisions sent to the EDPB concern the flow of data from the EU to the UK. Data flows in the other direction – from the UK to the EU – are regulated by UK legislation, which applies since 1 January 2021. The UK decided that the EU ensures an adequate level of protection and that therefore data can flow freely from the UK to the EU.