– Commission Adopts Draft UK Adequacy Decisions –
On 19th February, the European Commission published two draft adequacy decisions on the free flow of personal data from the EU to the UK. The first decision concerns transfers under the GDPR. The second decision concerns transfers under the LED. With the publication of the decisions, the Commission confirms that it believes the UK to offer an essentially equivalent standard of data protection to that offered in the EU. The publication begins the process for the final adoption of the decisions. This process “involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States.” Currently, transfers to the UK, without additional safeguards, are legitimated by an interim agreement under the EU-UK Trade and Cooperation Agreement. This interim agreement remains valid for four months from 1st January 2021 – with the option of extension by two months – or until the adoption of adequacy agreements. The publication of draft agreements should come as no surprise. There is undoubtedly considerable political pressure on the Commission to facilitate seamless personal data exchange with the UK. It is highly likely, however, that the eventual adoption of the draft agreements will face opposition moving forward. Sceptical opinions had already been issued as to the standard of UK data protection – in particular concerning the UK’s security and law enforcement frameworks– during post-Brexit negotiations. Even if the decisions are eventually adopted, there is still the possibility of intervention by the CJEU. The Court has already demonstrated its willingness to disagree with Commission evaluations of third-country data protection standards – see, for example, the recent Schrems II decision.
– Commission Adopts Draft UK Adequacy Decisions –
On 19th February, the European Commission published two draft adequacy decisions on the free flow of personal data from the EU to the UK. The first decision concerns transfers under the GDPR. The second decision concerns transfers under the LED. With the publication of the decisions, the Commission confirms that it believes the UK to offer an essentially equivalent standard of data protection to that offered in the EU. The publication begins the process for the final adoption of the decisions. This process “involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States.” Currently, transfers to the UK, without additional safeguards, are legitimated by an interim agreement under the EU-UK Trade and Cooperation Agreement. This interim agreement remains valid for four months from 1st January 2021 – with the option of extension by two months – or until the adoption of adequacy agreements. The publication of draft agreements should come as no surprise. There is undoubtedly considerable political pressure on the Commission to facilitate seamless personal data exchange with the UK. It is highly likely, however, that the eventual adoption of the draft agreements will face opposition moving forward. Sceptical opinions had already been issued as to the standard of UK data protection – in particular concerning the UK’s security and law enforcement frameworks– during post-Brexit negotiations. Even if the decisions are eventually adopted, there is still the possibility of intervention by the CJEU. The Court has already demonstrated its willingness to disagree with Commission evaluations of third-country data protection standards – see, for example, the recent Schrems II decision.