Earlier on 19th February, the European Commission had published two draft adequacy decisions in favor of the United Kingdom (UK). Today, the Commission has adopted these two data adequacy decisions favoring the UK- one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. The decision will ensure the free flow of data from the European Union to the United Kingdom.
Since the UK is no more a part of the European Union, it is effectively a third country. And the GDPR restricts the transfer of personal data to third countries unless similar levels of data protection are in place in the country in question. However, the European Commission has the power to determine if a third country has such an adequate level of data protection.
After Brexit, the UK Parliament amended its Data Protection Act, 2018, and passed the Data Protection, Privacy Electronic Communications (Amendments, etc.) (EU Exit) regulations on 14th October 2020. Basically, these amendments absorbed the GDPR into domestic law (UK GDPR) to the Data Protection Act, 2018. These laws mirror the GDPR to a great extent but deviate in some areas.
Hence, the decision comes as the Commission has concluded that the UK’s data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU.
‘The Sunset Clause’
There has been some controversy around the UK’s surveillance regime and the Investigatory Powers Act in particular. But the Commission notes that the UK system provides strong safeguards. It further notes that the access to personal data by national authorities is subject to prior authorization by an independent judicial body, which again is based on key data protection principles. Besides, any person may raise a grievance before the Investigatory Powers Tribunal.
Lastly, the Commission notes that the UK is subject to the jurisdiction of the European Court of Human Rights, and must adhere to the European Convention of Human Rights and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Commission considers these international Commitments as an essential element of the legal framework it assessed for the decisions.
However, a ‘sunset clause’ in the decisions will limit it to a period of four years. The decision would need to be renewed only after a fresh assessment of the UK’s data protection regime. The Commission will also continue to monitor the legal situation in the UK and could intervene at any point.
The clause holds vital importance, as a special taskforce has recently advised the UK PM to replace the existing data protection rules. It termed the GDPR as “prescriptive and inflexible.”