In May of this year, we informed you about the impact of Brexit on the transfer of personal data between the EU and the United Kingdom, and about the alternative safeguards that the United Kingdom had at its disposal to adopt after the end of the transition period. What has changed since then?
On June 28, 2021, the European Commission (hereinafter referred to as “the Commission”) announced that it had adopted two adequacy decisions regarding the United Kingdom. It thereby determined that personal data can continue to flow freely between the EU and the United Kingdom, subject to the same level of protection as guaranteed under European law.
Both decisions contain a detailed assessment of UK laws and systems ensuring the protection of personal data and highlight the fact that the United Kingdom provides adequate protection for personal data transferred between the EU and the UK.
The approved adequacy decisions are expected to expire in June 2025, and the Commission will begin work as early as the second half of 2024 to determine whether or not to extend the validity of the adequacy decisions for another four years.
Key points arising from the adequacy decisions:
- Despite Brexit, the UK’s data protection system remains subject to the same rules as when the United Kingdom was an EU member state;
- With regard to access to personal data by UK public authorities, particularly for national security reasons, the UK system provides strong safeguards:
- data collection by intelligence agencies is subject to prior authorization by independent judicial authorities—any measure must be necessary and proportionate to the objective pursued;
- if data subjects (companies, organizations, etc.) believe they have been subjected to unlawful surveillance, they may file a complaint with the relevant authority, which in this case is the Investigatory Powers Tribunal,
- The United Kingdom remains subject to the jurisdiction of the European Court of Human Rights and must comply with the European Convention on Human Rights as well as the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal. The latter convention is the only binding international convention in the field of personal data protection. These obligations under international law constitute the fundamental elements of the legal framework assessed in an adequacy decision;
- For the first time, adequacy decisions include a so-called “sunset clause,” which strictly limits the validity of the decision. In practice, this means that the decisions automatically expire four years after they enter into force. Adequacy decisions may be renewed upon expiration, but only if the United Kingdom continues to provide an adequate level of personal data protection. During these four years, the Commission will continuously monitor the legal situation in the country, and if the UK system deviates in any way from the current situation, the Commission may intervene at any time;
- The provision regarding data transfers for the purposes of UK immigration control is excluded from the scope of the adequacy decision adopted under the GDPR, to take into account a recent Court of Appeal ruling on the validity and interpretation of certain restrictions on data protection rights. The Commission will reassess the need for this exclusion once the situation has been rectified under UK law.
