The European Commission proposed, on Friday 19 February, that the European Union should recognise for four years that UK legislation provides an adequate level of protection when personal data of EU citizens is transferred to the UK or subsequently transferred to another non-Member State.
“Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel. The UK has left the EU, but not the European privacy family”, said the Vice-President of the Commission, Věra Jourová, in a statement.
In force since 1 January, the EU-UK Trade and Cooperation Agreement provides that, until the end of June, the UK remains subject to the General Data Protection Regulations (GDPR) (2016/679) and the Data Protection Law Enforcement Directive (2016/680) as well as the case law of the Court of Justice of the European Union (see EUROPE 12632/11).
In the meantime, the Commission was tasked with analysing the UK legislation and, above all, ensuring that mechanisms are in place in the UK to ensure that the adequacy of the rules remains in place in the medium term.
“In general, when we do an adequacy decision, the two systems are quite different and we build convergence as we did with Japan two years ago”, said a European source. The source added: “Here, the situation is slightly different, because the starting point is convergence. So the questions here were: ‘How do we make those decisions future-proof? How do we address possible developments?’ That is why we have a monitoring mechanism and the possibility to terminate the adequacy decision in case of a problematic divergence”.
The Commission notes that, in addition to the existence of an independent UK data protection authority and detailed national rules, all data collected in the UK or imported to the island from the EU or even from the rest of the world are treated in the same way.
One of the key issues was to analyse the level of protection for European citizens whose personal data is sent from the UK to another non-Member State (what is called ‘onward transfer’). “On the basis of the (British) system we have assessed today, we believe that it provides for those protections” and that it has a system which is “very shaped by EU law”, said the European source when questioned on the subject.
The two proposals for decisions submitted by the Commission must be adopted before the end of June. The European Data Protection Board (EDPB) will give an indicative opinion on the matter before the Member States take a decision by qualified majority in the competent committee.
For the Austrian lawyer Max Schrems, who has brought several data protection cases before the Court of Justice of the European Union, there are few grey areas regarding the adequacy decision on the commercial use of personal data. At the same time, he said via Twitter, “ there are obviously issues on UK government surveillance on EU data, which requires deeper analysis”.
The EU has data protection agreements with 12 jurisdictions, including Japan, Switzerland and Canada, and is currently negotiating with South Korea.
See the two draft decisions: http://bit.ly/3pBFndo (Original version in French by Mathieu Bion, with Marion Fontana)