On Monday 28 June, the European Commission adopted two decisions recognising the adequacy of the UK’s data protection rules with those in force in the European Union.
With the completion of this final step in a process that began in February (see EUROPE 12662/2), personal data can now flow freely from the EU to the UK until 27 June 2025, as the EU considers the safeguards in place on the UK side to be sufficiently robust.
“The UK remains in the data protection family”, said Christian Wigand, spokesperson at the Commission.
Asked about potential transfers of EU citizens’ personal data to UK authorities for surveillance purposes, he referred to a detailed analysis by the EU institution, as required by the EU Court of Justice's ‘Schrems II’ ruling, that UK law contains robust safeguards.
In particular, the collection of data by intelligence services is, in principle, subject to prior authorisation by an independent judicial body. Any measure must be necessary and proportionate to the objective pursued. And anyone who believes that they have been subject to unlawful surveillance can apply to the Investigatory Power Tribunal.
In addition, the UK remains subject to the jurisdiction of the European Court of Human Rights and is a party to Council of Europe Convention 108 for the protection of personal data, which is the only binding international treaty in this area.
Mr Wigand also stressed the importance of the sunset clause in the adequacy decisions, which provides, for the first time in a text of this kind, for the end of equivalence in four years. “It is a guarantee that the UK will remain in line with EU law”, he said, adding that the adequacy decision could be revoked at any time.
Finally, under the GDPR Regulation, transfers related to UK immigration control are excluded from the scope of adequacy decisions, to reflect a recent judgment by the Court of Appeal of England and Wales on the validity and interpretation of certain restrictions on data protection rights in this area. The Commission will review the appropriateness of this exclusion once the situation has been resolved under UK law.
At the end of May, the European Parliament had asked the Commission to reconsider its position on this issue, ensuring that UK law respects European case law and the concerns of the European Data Protection Board (EDPB) (see EUROPE 12724/16).
“We have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework”, said Vice-President for Values and Transparency Věra Jourová in a statement.
See the adequacy decisions: https://bit.ly/360Ql4N (Original version in French by Mathieu Bion)