EDPB Releases Opinions on Draft UK Adequacy Decisions regarding Cross-Border Data Flows
Publication: ZRVP
On 13 April 2021, the European Data Protection Board (EDPB) has released two opinions on the European Commission Draft Implementing Decisions on the adequate protection of personal data in the United Kingdom. The European Commission has thoughtfully assessed the UK’s law and practice on personal data protection and concluded that the level of protection guaranteed in the UK is fundamentally equivalent to that of the EU, ensured under both the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED).
Post-Brexit consequences are observed on how transfers of personal data from the European Economic Area (EEA) to the UK should be treated. Although the EU-UK Trade and Cooperation Agreement has made it possible to freely transfer personal data for an additional period of six months over the Brexit transition period, its validity is coming to an end, in which case transfers of personal data between these areas will be subject to rules contained in the GDPR.
To ensure all necessary conditions for a smooth data flow between the EEA and the UK, the European Commission published the draft UK adequacy decisions which would permit the free flow of such data, also initiating the procedure for its formal adoption.
Additionally, the EDPB has adopted two positive opinions on the draft UK adequacy decisions, finding many aspects of the UK data protection framework to be “essentially equivalent” to the safeguards under the GDPR.
In the First Opinion, the EDPB basically observes that in data protection there is an encouraging degree of alignment between the GDPR framework and the UK legal framework on data protection concepts and on core data protection provisions, such as transparency, data equality and proportionality or purpose limitation.
Although the UK legal framework is not expected to replicate the European data protection law, EDBP draws attention to certain challenges that should be further assessed and addressed. One major risk is envisaging future separate and independent policies which could be adopted by the UK and which could cause divergence between the UK and EU data protection frameworks.
Another threat could be the way in which personal data is transferred between UK and other third countries. EDBP considers that such transfers should only be permitted from the UK to third countries if the level of data protection in the importing third countries ensures the same level of protection.
The Second EDPB Opinion highlights that the fundamental principles on data protection are reflected properly in the UK legal framework and recommends keeping an eye on the developments regarding the UK data protection legislation.
Considering the analysis fulfilled by EDBP, the European Commission might consider further amendments of the draft decisions that could address the concerns highlighted by these opinions, yet the process being positively developed in a sense that would permit their formal adoption.