On Oct. 11, 2021, EU CMSN published implementing regulation 2021/1772 of 28 June 2021 pursuant to regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom in OJ.
Together with commission implementing decision 2021/1773 of 28 June 2021 pursuant to directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, effective from Oct. 11.
On Feb. 19, EC issued draft decisions on personal data flows to UK.
EC launched process towards adoption of two adequacy decisions for transfers of personal data to the UK, one under GDPR and one for the law enforcement directive.
Publication of the draft decisions marks the start of a process towards their adoption.
Involves obtaining an opinion from EU EDPB and green light from a member State committee, once this is complete, EC could proceed to adopt two adequacy decisions.
EC assessed UK's law, practice on personal data protection, including on access to data by public authorities, concluded UK ensures an equivalent level of protection.
Specifically to the one guaranteed under the general data protection regulation (GDPR) and, for the first time, under the law enforcement directive (LED).
Stated EU law has shaped UK's data protection regime for decades, and it is essential the adequacy findings are future proof now UK is no longer bound by EU privacy rules.
Once the draft decisions are adopted they would be valid for a first period of 4 years.
After 4 years, adequacy finding could be renewed if UK protection level still adequate.
Until then, data flows between the EEA and UK remain safe thanks to a conditional interim regime that was agreed in the EU-UK trade and cooperation agreement.
Effectiveness
This interim period expires on Jun. 30, 2021.
In Feb. 2021, UK GVT welcomed EC's draft data adequacy decisions, see #98603.
In Mar. 2021, EDPB issued outcome of the 46th plenary session, see #100438.
In May 2021, EP urged EC to amend UK data adequacy draft decisions, see #106178.
Jun. 2021 Adequacy Decisions Adopted
On Jun. 28, 2021, EU CMSN announced the adoption of the UK adequacy decisions.
Decisions issued under GDPR and LED; personal data can now flow freely from EU to UK where it benefits from essentially equivalent level of protection to that in the EU.
Decisions also facilitate correct implementation of EU-UK TAC which foresees exchange of personal data e.g. for cooperation on judicial matters.
Both include strong safeguards re any future divergence i.e. sunset clause of 4 years.
This is first time a sunset clause is included in an adequacy decision limiting duration.
Once expired EC may decide to renew adequacy finding, adoption process starts again.
Transfers for purposes of UK immigration control excluded from scope of GDPR dec.
To reflect recent judgment of England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area.
The EC will reassess need for this exclusion once situation is remedied under UK law.
Re access to personal data by UK public authorities, notably for national security reasons, UK has strong safeguards but person who believes to have been subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal.
Decisions apply immediately and expire Jun. 27, 2025 unless extended in accordance with procedure referred to in article 93(2) of GDPR, article 58(2) of LED, respectively.
Oct. 2021 Official Journal
On Oct. 11, 2021, EU CMSN published implementing regulation 2021/1772 of 28 June 2021 pursuant to regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom in OJ.
Together with commission implementing decision 2021/1773 of 28 June 2021 pursuant to directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, effective from Oct. 11.
