The GDPR will play a special role in the transfer of personal data between the UK and the EU. Here, too, a kind of transitional period has been agreed.
- Until 30 April, the UK is not considered a third country under the GDPR – data traffic can take place as usual without additional precautions.
- This period may be extended by 2 months until 30 June.
- The condition is that the UK applies the GDPR exactly to the same standards as the EU and informs the EU immediately in the event of changes
- An important criterion will be whether personal data iswidelyde-thaw across borders.
- On June 1st, the EU Parliament discussed the adequacy decision and recommended it to the EU Commission.
- This adequacy decision was confirmed by the EU Commission on June 28th and has been in force since July 1st
The EU's June 28 adequacy vote on data protection with UK should be viewed with caution. The vote is limited to 4 years and says that the EU can withdraw from the agreement if it turns out that the UK would noticeably deviate from the EU GDPR. In this context, reference is made to the British Government's TIGRR report (Taskforce on Innovation, Growth and Regulatory Reform independent report). Here it becomes clear that the UK would like to apply other aspects for data protection for consumers and that a reform or a replacement for the EU GDPR is being sought. We have looked through the TIGR report and can understand the UK approach. So if the UK continues to pursue this approach - and it can be assumed - the EU will withdraw from the adequacy decision. From this point in time at the latest, companies should start thinking about their own office in the UK resp. the EU.
Press release: UK government welcomes the European Commission’s draft data adequacy decisions
Published 19 February 2021
- Today’s draft decisions follow months of discussions and pave the way for continued free flow of data between the EU and the UK
- The UK now urges the EU to fulfil its declared commitment to complete the technical approval process swiftly, so that we have final data adequacy decisions as soon as possible
- This will provide certainty for businesses, enable continued cooperation between the UK and the EU, and will ensure law enforcement authorities can keep our citizens safe
The government welcomes the European Commission’s draft data adequacy decisions, which recognise the UK’s high data protection standards and set out that the UK should be found ‘adequate’.
The UK has a world-class data protection system, currently the same as the European Union’s, so it is logical that the Commission should find the UK ‘adequate’.
The EU already recognises other countries around the world as adequate including Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay - and the UK freely exchanges data with these countries.
Positive data adequacy decisions under both the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) would allow for personal data to continue to flow freely from the European Union (EU) and wider European Economic Area (EEA) to the UK.
Seamless international data flows are essential in a hyper-connected world. They underpin the exchange of information and ideas supporting trade, innovation and investment, assist with law enforcement agencies tackling crime, and support the delivery of critical public services sharing personal data as well as facilitating health and scientific research.
Technical confirmation of the draft adequacy decisions will help make sure UK businesses and organisations in everything from logistics to legal services, healthcare to human resources, can continue to receive personal data from the EU and EEA without additional compliance costs. This ensures they will avoid potential knock-on effects for consumers and boost UK startups and smaller firms which operate in EU markets and sell to EU customers.
The UK formally provided the Commission with comprehensive explanatory material nearly a year ago at the start of the adequacy assessment in March 2020. The UK has already recognised the EU and EEA member states as ‘adequate’, as part of its commitment to establish a smooth transition for the UK’s departure from the bloc and manage data flows on an objective basis.
Since then, UK officials led by the Department for Digital, Culture, Media and Sport (DCMS) have held a series of discussions with their European Commission counterparts to reiterate carefully and fully the UK’s legal and regulatory framework and demonstrate beyond doubt that the UK clearly meets the EU’s data adequacy requirements.
The draft decisions published today by the Commission will now be shared with the European Data Protection Board for a ‘non-binding opinion’, before being presented to EU member states for formal approval.
The UK made its representations to the EU in a timely manner but the Commission did not finalise draft decisions in time to complete the adoption process by the end of the transition period. For this reason, as part of the UK/EU Trade and Cooperation Agreement, a time-limited ‘bridging mechanism’ for personal data flows was agreed. This currently allows personal data to continue to flow as it did before the end of the Brexit transition period for up to six months, while the EU completes the adequacy process.
The UK government now urges the EU to swiftly complete this technical process for adopting and formalising these adequacy decisions as early as possible.
Secretary of State for Digital Oliver Dowden said:
I welcome the publication of these draft decisions which rightly reflect the UK’s commitment to high data protection standards and pave the way for their formal approval.
Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework.
I now urge the EU to fulfil their commitment to complete the technical approval process promptly, so businesses and organisations on both sides can seize the clear benefits.
Julian David CEO of techUK said:
The European Commission’s decisions that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR reflects the UK’s high data protection standards.
Today’s decision is warmly welcomed by the tech sector which has been making clear the importance of a mutual data adequacy agreement since the day after the referendum.
Receiving data adequacy, alongside the EU-UK Trade and Cooperation Agreement, will set a solid foundation for digital trade with the EU, including strong non-discrimination clauses and positive data flows provisions, that will give businesses the confidence to invest.
- The ‘bridging mechanism’ will remain in place until June 30 or until the adequacy decisions come into effect, whichever is sooner.
- The UK has a long and proud tradition of defending privacy rights. In the 1970s, the UK developed pioneering committees to explore the protection of personal data, and in 1981 the UK was one of the first to sign Council of Europe Convention 108. More recently, the UK played an active role in developing the GDPR and LED. The UK Government will continue to promote high data protection standards.
- Read the European Commission’s press statement here.
- Read the GDPR decision here.
- Read the Law Enforcement Directive decision here.
DCMS press office is on 020 7211 2210.
European Data Protection Board - 48th Plenary Session - Statement: Wednesday, 14 April, 2021
During its plenary session, the EDPB adopted two Opinions on the draft UK adequacy decisions. Opinion 14/2021 is based on the GDPR and assesses both general data protection aspects and government access to personal data transferred from the EEA for the purposes of law enforcement and national security included in the draft adequacy decision. This assessment is based on the GDPR Adequacy Referential WP254. Opinion 15/2021 is based on the Law Enforcement Directive (LED) and analyses the draft adequacy decision in the light of Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive, as well as the relevant case law reflected in Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. This is the first draft implementing decision on a third country’s adequacy under the LED ever presented by the European Commission and assessed by the EDPB.
The EDPB notes that there are key areas of strong alignment between the EU and the UK data protection frameworks on certain core provisions such as: grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling.
EDPB Chair, Andrea Jelinek said: "The UK data protection framework is largely based on the EU data protection framework. The UK Data Protection Act 2018 further specifies the application of the GDPR in UK law, in addition to transposing the LED, as well as granting powers and imposing duties on the national data protection supervisory authority, the ICO. Therefore, the EDPB recognises that the UK has mirrored, for the most part, the GDPR and LED in its data protection framework and when analysing its law and practice, the EDPB identified many aspects to be essentially equivalent. However, whilst laws can evolve, this alignment should be maintained. So we welcome the Commission's decision to limit the granted adequacy in time and the intention to closely monitor developments in the UK.”
The EDPB underlines that several items should be further assessed and/or closely monitored by the European Commission in its decision based on the GDPR, such as:
- Immigration Exemption and its consequences on restrictions on data subject rights;
- The application of restrictions to onward transfers of EEA personal data transferred to the UK, on the basis of, for instance, future adequacy decisions adopted by the UK, international agreements concluded between the UK and third countries, or derogations.
Regarding access by public authorities for national security purposes to personal data transferred to the UK, the EDPB welcomes the establishment of the Investigatory Powers Tribunal (IPT) to address the challenges of redress in the area of national security, and the introduction of Judicial Commissioners in the Investigatory Powers Act (IPA) 2016 to ensure better oversight in that same field. The EDPB still identifies a number of points requiring further clarifications and/or monitoring:
- Bulk interceptions;
- Independent assessment and oversight of the use of automated processing tools;
- Safeguards provided under UK law when it comes to overseas disclosure, in particular in light of the application of national security exemptions.
The Board adopted Guidelines on the application of Article 65(1)(a) GDPR to delineate the main stages of the procedure and clarify the competence of the EDPB when adopting a legally binding decision on the basis of Article 65(1)(a) GDPR. The Guidelines also include a description of the applicable procedural safeguards and remedies. The guidelines will be subject to public consultation for a period of six weeks.
The EDPB adopted a final version of the Guidelines on the targeting of social media users following public consultation. The aim of the Guidelines is to clarify the roles and responsibilities of social media providers and targeted individuals. The final version integrates updated wording in order to address comments and feedback received during the public consultation.
The EDPB adopted a Statement on international agreements including transfers. The EDPB invites EU Member States to assess and, where necessary, review their international agreements that involve international transfers of personal data and which were concluded before 24 May 2016 (for those relevant to the GDPR) and 6 May 2016 (for those relevant to the LED) to align them, where necessary, with EU data protection law.
Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.
The European Commission endorsed its draft implementing decision (hereinafter “draft decision”) on the adequate protection of personal data by the United Kingdom (hereinafter “UK”) pursuant to the LED on 19 February 20212. Following this, the European Commission initiated the procedure for its formal adoption.
On June 1st, the EU Parliament discussed the adequacy decision of data protection in the UK and made the following decision:
The European Commission should amend its draft decision on UK data protection to ensure EU standards for citizens’ privacy are respected. In a resolution passed on Friday (344 votes in favour, 311 against and 28 abstaining), MEPs ask the Commission to modify its draft decisions on whether or not UK data protection is adequate and data can safely be transferred there, bringing them in line with the latest EU court rulings and responding to concerns raised by the European Data Protection Board (EDPB) in its recent opinions. The EDPB considers that UK bulk access practices, onward transfers and its international agreements need to be clarified further. The resolution states that, if the implementing decisions are adopted without changes, national data protection authorities should suspend transfers of personal data to the UK when indiscriminate access to personal data is possible.
Before the vote, MEPs debated the UK adequacy decision and the “Schrems II” resolution on EU-US data flows. Several political groups emphasised the need for strong data rights in Europe and the dangers of mass surveillance, with others arguing that the UK has a high level of data protection, and that adequacy decisions help businesses and facilitate cross-border crime-prevention.
Exemptions for national security and immigration The resolution states that the UK’s basic data protection framework is similar to that of the EU, but raises concerns about its implementation. Notably, the UK regime contains exemptions in the fields of national security and immigration, which now also apply to EU citizens wishing to stay or settle in the UK. Current UK legislation also allows for bulk data to be accessed and retained without a person being under suspicion for perpetrating a crime, and the EU court has found indiscriminate access to be inconsistent with the General Data Protection Regulation (GDPR), warns the text.
Finally, MEPs underline that provisions on metadata (or “secondary data”) do not reflect the sensitive nature of such data and are therefore misleading. Although the Parliament objects to the Commission’s draft implementing acts granting data adequacy decisions for these reasons, MEPs welcome recent legislative changes that provide citizens access to judicial redress on data decisions and detailed oversight reports available for data interception on nation security grounds.
Third countries and onward transfers MEPs also worry about onward data transfers. The UK’s data-sharing agreements with the US mean EU citizens’ data could be shared across the Atlantic, despite recent rulings of the European Court of Justice that found US practices of bulk data access and retention incompatible with GDPR. Also, the UK’s application to join the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) could have implications for data flow to countries that do not have an adequacy decision from the EU.
Parliament urges the Commission and the UK authorities to address all these issues and insists that no adequacy decision should be granted. MEPs specify that no-spying agreements between member states and the UK could help solve matters.
Next steps The Commission is expected to decide on the UK’s data protection and the continuation of data transfers across the Channel in the coming months. Addressing the plenary before the vote, Commissioner for Justice Didier Reynders stressed that the UK’s current legislation is very similar to that of the EU. However, future divergence is possible, and this is why the adequacy decision’s four-year sunset clause is very necessary, he pointed out.
So it is currently in the stars when an adequacy agreement is to be expected. It is to be expected that the transitional period for interim equivalence will pass. After that, the data exchange can probably only be processed on the basis of con SCC (Standard Contractual Clauses). Unless, of the short term, it is decided to extend the transitional period.
28 June 2021: It almost borders on a miracle: 48 hours before the end of the transition period, the EU Commission has adopted two adequacy decisions on data protection. Here is the wording from the EU-Press Release:
The Commission has today adopted two adequacy decisions for the United Kingdom - one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. The adequacy decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information, for example for cooperation on judicial matters. Both adequacy decisions include strong safeguards in case of future divergence such as a ‘sunset clause', which limits the duration of adequacy to four years.
Věra Jourová, Vice-President for Values and Transparency, said: “The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today. At the same time, we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK's privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene”.
Didier Reynders, Commissioner for Justice, said: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”
Key elements of the adequacy decisions
- The UK's data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
- With respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards. In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to what it intends to achieve. Any person who believes they have been the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal. The UK is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is the only binding international treaty in the area of data protection. These international commitments are an essential elements of the legal framework assessed in the two adequacy decisions.
- For the first time, the adequacy decisions include a so-called ‘sunset clause', which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection. During these four years, the Commission will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the Commission decide to renew the adequacy finding, the adoption process would start again.
- Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. The Commission will reassess the need for this exclusion once the situation has been remedied under UK law.
On 19 February, the Commission published two draft adequacy decisions and launched the procedure for their adoption. Over the past months, the Commission has carefully assessed the UK's law and practice on personal data protection, including the rules on access to data by public authorities in the UK. The Commission has been in close contact with the European Data Protection Board, which gave its opinion on 13 April, the European Parliament and the Member States. Following this in-depth process, the European Commission requested the green light on the adequacy decisions from Member States' representatives in the so-called comitology procedure. The adoption of the decisions today, following the agreement from Member States' representatives, is the last step in the procedure. The two adequacy decisions enter into force today.
The EU-UK Trade and Cooperation Agreement (TCA) includes a commitment by the EU and UK to uphold high levels of data protection standards. The TCA also provides that any transfer of data to be carried out in the context of its implementation has to comply with the data protection requirements of the transferring party (for the EU, the requirements of the GDPR and the Law Enforcement Directive). The adoption of the two unilateral and autonomous adequacy decisions is an important element to ensure the proper application and functioning of the TCA. The TCA provides for a conditional interim regime under which data can flow freely from the EU to the UK. This interim period expires on 30 June 2021.
28 June 2021 Subsequently we publish here the press-reöease of the UK Government:
EU adopts ‘adequacy’ decisions allowing data to continue flowing freely to the UK
UK businesses and other organisations will benefit from unrestricted personal data transfers
- The European Union (EU) has formally recognised the UK’s high data protection standards after more than a year of constructive talks
- This will allow the continued seamless flow of personal data from the EU to the UK
Personal data can continue to flow freely between Europe and the UK following agreement by the European Union to adopt ‘data adequacy’ decisions.
The UK government welcomes the move, which rightly recognises the country’s high data protection standards. Formal adoption of the decisions under the EU General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED) allows personal data to flow freely from the EU and wider European Economic Area (EEA) to the UK. The decisions mean that UK businesses and organisations can continue to receive personal data from the EU and EEA without having to put additional arrangements in place with European counterparts.
This free flow of personal data supports trade, innovation and investment, assists with law enforcement agencies tackling crime, and supports the delivery of critical public services sharing personal data as well as facilitating health and scientific research.
The UK, which now operates a fully independent data policy, has already recognised the EU and EEA member states as ‘adequate’, as part of its commitment to establish a smooth transition for the UK’s departure from the bloc.
The government plans to promote the free flow of personal data globally and across borders, including through ambitious new trade deals and through new data adequacy agreements with some of the fastest growing economies, while ensuring people’s data continues to be protected to a high standard.
All future decisions will be based on what maximises innovation and keeps up with evolving tech. As such, the government’s approach will seek to minimise burdens on organisations seeking to use data to tackle some of the most pressing global issues, including climate change and the prevention of disease.
Secretary of State for Digital Oliver Dowden said:
After more than a year of constructive talks it is right the European Union has formally recognised the UK’s high data protection standards. This will be welcome news to businesses, support continued cooperation between the UK and the EU and help law enforcement authorities keep people safe. We will now focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people’s safety and privacy.
John Foster CBI Director of Policy said:
This breakthrough in the EU-UK adequacy decision will be welcomed by businesses across the country. The free flow of data is the bedrock of the modern economy and essential for firms across all sectors– from automotive to logistics – playing an important role in everyday trade of goods and services. This positive step will help us move forward as we develop a new trading relationship with the EU.
Julian David techUK CEO said:
Securing an EU-UK adequacy decision has been a top priority for techUK and the wider tech industry since the day after the 2016 referendum. The decision that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards and is of vital importance to UK-EU trade as the free flow of data is essential to all business sectors. The data adequacy decision also provides a basis for the UK and EU to work together on global routes for the free flow of data with trust, building on the G7 Digital and Technology declaration and possibly unlocking €2 trillion of growth. The UK must also now move to complete the development of its own international data transfer regime in order to allow companies in the UK not just to exchange data with the EU, but also to be able to access opportunities across the world.
Conclusion: with these decisions, the EU has created the possibility for companies to continue working in the short to medium term for the foreseeable period of the next 4 years. However, one should be aware that this regulation involves a volatility through which the UK can finally fall into third country status, with the consequences for the loss of equivalence status.