Věra Jourová, Vice-President for Values and Transparency, said: “The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today. At the same time, we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK's privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene”.
Didier Reynders, Commissioner for Justice, said: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”
Key elements of the adequacy decisions
- The UK's data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
- With respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards. In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to what it intends to achieve. Any person who believes they have been the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal. The UK is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is the only binding international treaty in the area of data protection. These international commitments are an essential elements of the legal framework assessed in the two adequacy decisions.
- For the first time, the adequacy decisions include a so-called ‘sunset clause', which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection. During these four years, the Commission will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the Commission decide to renew the adequacy finding, the adoption process would start again.
- Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. The Commission will reassess the need for this exclusion once the situation has been remedied under UK law.
Background
On 19 February, the Commission published two draft adequacy decisions and launched the procedure for their adoption. Over the past months, the Commission has carefully assessed the UK's law and practice on personal data protection, including the rules on access to data by public authorities in the UK. The Commission has been in close contact with the European Data Protection Board, which gave its opinion on 13 April, the European Parliament and the Member States. Following this in-depth process, the European Commission requested the green light on the adequacy decisions from Member States' representatives in the so-called comitology procedure. The adoption of the decisions today, following the agreement from Member States' representatives, is the last step in the procedure. The two adequacy decisions enter into force today.
The EU-UK Trade and Cooperation Agreement (TCA) includes a commitment by the EU and UK to uphold high levels of data protection standards. The TCA also provides that any transfer of data to be carried out in the context of its implementation has to comply with the data protection requirements of the transferring party (for the EU, the requirements of the GDPR and the Law Enforcement Directive). The adoption of the two unilateral and autonomous adequacy decisions is an important element to ensure the proper application and functioning of the TCA. The TCA provides for a conditional interim regime under which data can flow freely from the EU to the UK. This interim period expires on 30 June 2021.