Yesterday, the European Data Protection Board (“EDPB”) adopted two Opinions put forth on the draft UK adequacy decisions for transfers of personal data to the UK at its 48th Plenary Session – one under the GDPR, and the other for the Law Enforcement Directive (“LED”).

This welcome development follows on from the launch of the European Commission’s process towards the adoption of two adequacy decisions for transfers of personal data to the United Kingdom on 19 February 2021, a link to which can be found here.

Andrea Jelinek, Chair of EDPB, said: “The UK data protection framework is largely based on the EU data protection framework… the EDPB recognizes that the UK has mirrored, for the most part, the GDPR and LED in its data protection framework”. This will be a very positive statement to those working to ensure the Commission’s adequacy decision is finalised.

Important point to note

It is, however, important to note that whilst the EDPB comments on the near identical similarities between the GDPR and the UK data protection framework, it did recommend that the European Commission should continue to closely monitor legal developments in the UK, with Andrea Jelinek stating: “whilst laws evolve, this alignment should be maintained. So, we welcome the European Commission’s decision to limit the granted adequacy in time and the intention to closely monitor developments in the UK.”

The reason for the “caveats”?

The EDPB recommended that the European Commission focus its future monitoring and/or assessment efforts on, in particular:

  1. The UK’s Immigration Exemption and its consequences on restrictions on data subject rights (which has been the subject of on-going debate for some time now); and
  2. The application of restrictions to onward transfers of EEA personal data transferred to the UK, on the basis of, for instance, future adequacy decisions adopted by the UK, international agreements concluded between the UK and third countries, or derogations.

For any adequacy decision to have longevity, the recommendations suggest that the UK data protection framework should be effectively tied to the GDPR. The recommendations provide the EU with the power to render the UK adequacy decision null and void in the event the UK passes new data protection laws which do not align with the GDPR.

Put simply, the draft UK adequacy decision says: an EEA state can freely share personal data with the UK if, and only if, the UK’s data protection framework continues to largely resemble the EU’s GDPR.

What is an adequacy decision?

Following Brexit, the UK is now considered as a ‘third country’ to the EU. Under the GDPR, for the EU to continue to transfer personal data to the UK, the European Commission must determine whether the UK has an adequate level of data protection – i.e. make an adequacy decision. The effect of the European Commission’s UK adequacy decision is that personal data can be freely transferred from an EEA state to the UK without any additional safeguards. This free flow of personal data is critically important to many UK businesses.

Next steps:

The European Commission will now request approval of its draft adequacy decisions from each of the EU Member States. Once this procedure has been completed, the adequacy decisions can be adopted.

For further information on the draft UK adequacy decision and how it might affect your business, please get in touch with our specialist Data Protection & Cyber Security team.