The European Union Commission issued its draft adequacy decision for data flows between the European Union (EU) and United Kingdom (UK). The EU Commission started the process of the adoption of two adequacy decisions for transfers of personal data to the United Kingdom. The publication of the draft decisions is the beginning of a process towards their adoption. After Brexit, The UK became a “third country” for the privacy laws governing the EU. The recent adequacy decision assured that data protection in the UK is up to standard.
Didier Reynders, Commissioner for Justice, said: “A flow of secure data between the EU and the UK is crucial to maintain close trade ties and cooperate effectively in the fight against crime. Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the UK after it has left the EU. Now European Data Protection Authorities will thoroughly examine the draft texts. EU citizens’ fundamental right to data protection must never be compromised when personal data travel across the Channel. The adequacy decisions, once adopted, would ensure just that.”
Věra Jourová, Vice-President for Values and Transparency, said: “Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel. The UK has left the EU, but not the European privacy family. At the same time, we should ensure that our decision will stand the test of time. This is why we included clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development of the UK system after the adequacy would be granted.”
The UK and the EU are still subject to separate regulatory regimes but from the first of January, 2021 organisations that process data in the EU and the UK are now subject to both the EU GDPR and the UK GDPR. Depending on the operations of the organisations, they may need to:
- Appoint an EU representative or a UK representative
- Consider which EEA or EU supervisory authority will be their lead authority, given that the UK Information Commissioner’s Office may no longer be the lead supervisory authority for data controllers and data processors located in the UK without a main establishment in the EEA.