As the deadline drew closer to the end of the six-month bridging period, provided under the EU-UK Trade and Cooperation Agreement, the European Commission adopted two adequacy decisions for the United Kingdom: One under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive on the processing of personal data for criminal offenses.
With these decisions, the European Commission affirms the UK has entirely incorporated the GDPR requirements and the Law Enforcement Directive into its post-Brexit legal system.
So, what does this mean?
- The data protection laws of the UK were formally recognized as adequate with the EU laws
- Personal data will continue to flow freely between the EU and UK
- Data exporters transferring data from the EU to the UK will not need to implement additional transfer safeguards (e.g. Standard Contractual Clauses ).
What are the underlying grounds for the decisions?
- The UK provides strong safeguards against accessing personal data by public authorities
- The UK is subject to the jurisdiction of the European Court of Human Rights and must adhere to the European Convention of Human Rights
- The UK is one of the contracting parties of the Council of Europe Convention for the Protection of Individuals, with regard to Automatic Processing of Personal Data
It’s worth it to note that the decisions include a “sunset” clause, for the first time, which sets a time limit on the validity of the decisions.
According to the clause, the decisions will expire four years after the effective date and could be renewed if the UK maintains the adequate level of data protection for personal data. During this term, the Commission will monitor the legal system in the UK and could intervene at any time, should the UK fail to maintain adequacy.
As always, we’ll keep you informed on further developments.
Want more? Learn about regulatory watch.
Legal & Compliance Manager