The U.K. withdrew from the European Union on January 31, 2020. The transition period of the withdrawal lasted until December 31, 2020, and thus all laws applicable to the EU Member States were in effect during this period. But, effective January 1, 2021, U.K.’s sovereign state laws (U.K. GDPR and Data Protection Act 2018) came into power, which meant personal data transfers between the U.K. and EU nations no longer had a legal channel as the two now acted as separate entities.
However, it is to be noted that the U.K. “retained EU law,” which includes Regulation (EU) 2016/679 in its entirety (including its recitals). All the provisions and governance, which are applicable in EU’s laws for personal data protection are adopted by the U.K. as it is. Thus, considering this, the European Commission has initiated a process for transfers of personal data to the U.K. from other EU countries under two adequacy decisions: the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive (LED).
Draft for Personal Data Transfer to U.K.
The publication of the draft decisions on behalf of the European Commission is a step towards their adoption. The draft will be opinionated by the European Data Protection Board (EDPB) and shall require a go-ahead from a committee that includes representatives from the EU Member States. The European Commission has already found the U.K.’s law and practice on personal data protection fit and equivalent to the one guaranteed under the GDPR and, for the first time, under the LED.
Didier Reynders, Commissioner for Justice, said, “A flow of secure data between the EU and the U.K. is crucial to maintain close trade ties and cooperate effectively in the fight against crime. Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the U.K. after it has left the EU. Now European Data Protection Authorities will thoroughly examine the draft texts. EU citizens’ fundamental right to data protection must never be compromised when personal data travels across the Channel. The adequacy decisions, once adopted, would ensure just that.”
Citing that adequacy findings may require modifications in the future and that the U.K. will no longer be bound by EU privacy rules, the commission will adopt the two adequacy drafts for the first period of four years. Post this, it would be reviewed and renewed if the level of personal data protection in the U.K. continues to be adequate.
In the Meanwhile
Until the comitology procedure, which involves consent from the EU Member States, is completed, data flow between the European Economic Area and the U.K. will continue and remain safe under the conditional interim regime that was agreed in the EU-UK Trade and Cooperation Agreement. This interim period will expire on June 30, 2021.
The draft adequacy decisions presented to the EDPB talks about the flow of data from the EU to the U.K. However, data flows in the other direction – from the U.K. to the EU – are regulated by the U.K. legislation, which is in effect since January 1, 2021. The U.K. unanimously decided that the EU’s measures provide adequate protection and therefore data can flow freely from the U.K. to the EU uninterrupted.