22 February 2021

CRE: EC confirms UK data adequacy but will review in 2025

It will now move to adopt the draft data adequacy decisions on the GDPR and then on the Law Enforcement Directive, which will allow the personal data of EU citizens to continue to transfer to the UK after the interim agreement expires on 30 June 2021.

The European Commission (EC) has said the UK’s data protection laws are strong enough to allow for the free flow of personal information between the EU and UK as the two sides renegotiate following Brexit.

It will now move to adopt the draft data adequacy decisions on the GDPR and then on the Law Enforcement Directive, which will allow the personal data of EU citizens to continue to transfer to the UK after the interim agreement expires on 30 June 2021. The UK had already agreed to the flow of UK personal data to Europe under legislation in place since the start of the year.

Data adequacy will allow both businesses and public authorities, in particular police forces, to continue to transfer data for four years to 2025. The decisions will then be reviewed to ensure that the UK’s data protection laws maintain adequacy with Europe.

Announcing the decision, Věra Jourová, EC vice-president for values and transparency, said: “The UK has left the EU, but not the European privacy family.”

But she added the decision should “stand the test of time”. The review mechanism will allow the EC to change its decision if the UK’s data protection rules drift too far from those in Europe.

“EU citizens’ fundamental right to data protection must never be compromised when personal data travels across the Channel,” said Didier Reynders, EC commissioner for justice.

The UK welcomed the EC’s decision, but it called on the EU to act quickly and adopt the drafts as soon as possible, to provide certainty for businesses and public agencies after months of discussion.

Secretary of state for digital Oliver Dowden said the EU has acted “slower” than the UK “would have wished” in issuing the draft decisions.

“The UK has a world-class data protection system, currently the same as the European Union’s, so it is logical that the Commission should find the UK ‘adequate’,” the UK government said.

The European Data Protection Board will review the draft decisions. EU member states also need to give their approval before they are adopted.

The EC said: “Over the past months, the Commission has carefully assessed the UK’s law and practice on personal data protection, including the rules on access to data by public authorities. It concludes that the UK ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulation and, for the first time, under the Law Enforcement Directive.”

The EU has recognised other data protection laws in third countries as adequate, including Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay.

“Technical confirmation of the draft adequacy decisions will help make sure UK businesses and organisations in everything from logistics to legal services, healthcare to human resources, can continue to receive personal data from the EU and EEA without additional compliance costs. This ensures they will avoid potential knock-on effects for consumers and boost UK startups and smaller firms that operate in EU markets and sell to EU customers,” the UK government said.

The Association of British Insurers’ director of regulation Charlotte Clark said: “We very much welcome the Commission’s draft decision on data adequacy to allow the continued free flow of data between the UK and the EU. We have long pressed for such an approach – it is the most legally sound way of sharing personal data. We hope the process to formally adopt the decision will be swift from here.”

CRE

© Commercial Risk Europe