30/03/21 – As part of the Trade and Cooperation Agreement announced just before Christmas, the EU and the UK agreed a six-month ‘bridging period’ allowing transfers of personal data from the EEA to the UK to continue freely until 30th June 2021 – more detail here. Half-way through the bridging period is probably a good time for an update.
Update? Didn’t I read a few weeks ago that the EU issued the UK adequacy decision, and it’s now all done and dusted?
No, not really. What happened is that on 19th February 2021 the European Commission issued two UK adequacy decisions (one for transfers under the GDPR, and the other for transfers under the Law Enforcement Directive), but only in draft form. The drafts have now been passed to the European Data Protection Board (EDPB) for them to review and issue their non-binding (but influential) ‘advisory opinions’. After the advisory opinions have been issued, and any EDPB-recommended changes have been incorporated into the text of the adequacy decisions, the drafts will then need to be approved by representatives of all 27 EU member states via the so-called ‘comitology procedure’. Once approved, the adequacy decisions can be formally adopted by the Commission, and become legally effective.
Ah, so not quite done and dusted. Will this all be wrapped up by 30th June?
Probably. The good news is that the draft adequacy decisions were issued by the European Commission without any material conditions attached to them, i.e. the Commission considers that the UK’s data protection laws and systems are adequate. Also positive was the prediction of the EU Head of International Data Flows, Bruno Gencarelli, who said in a LinkedIn webinar on 27th January 2021 that he was confident the UK adequacy decisions would be adopted “by the end of the bridging period”. Ditto the prediction of the EU Commissioner for Justice, Didier Reynders, who, according to Vincent Manancourt of politico.eu, said on 16th February 2021 that the EDPB’s “opinion on UK data flows decision [is] expected mid-April […] Whole process to be wrapped up by Brussels by end of May/early June”.
Less positive were the widely-publicised comments of the UK culture secretary Oliver Dowden, who in his FT article on 27th February said: “we do not need to copy and paste the EU’s rule book, the General Data Protection Regulation, word-for-word”; and that the UK can now be more “agile” when it comes to “[striking] our own international data partnerships with some of the world’s fastest growing economies. […] The EU has been slow to act on this, declaring only 12 countries ’adequate’ in the past few decades”. Announcing the UK’s intention to diverge from the GDPR and criticising the EU’s historic approach to adopting adequacy decisions, all while the EDPB is busy considering the UK’s application, may not have been Mr Dowden’s best idea.
All very interesting, but I’ve got data flows with EU customers and other data partners which need to continue after 30th June. What do I need to do?
You’ve got a number of options, including:
Tags: adequacy decision, brexit, EDPB, gdpr, SCCs, TCA
Posted in Privacy, Updates | No Comments »
29/12/20 – Prior to the announcement of the EU-UK Trade and Cooperation Agreement [1], I was having to explain to a client that it was looking increasing likely that, from 1st January 2021, transfers of personal data from organisations located in EEA countries to the UK would no longer be lawful. (more…)
Tags: adequacy decision, data protection, gdpr, TCA, third country, Trade and Cooperation Agreement
Posted in Privacy, Updates | No Comments »