The European Commission considers that the laws on the protection of personal data of the European Union and the United Kingdom are similar and, for that reason, this Friday launched the process to declare them equivalent.
The agreement on the relationship between Brussels and London after Brexit includes a commitment by the two parties to maintain a high standards on data protection, relevant in areas such as police and judicial cooperation. However, both the Twenty-Seven and the United Kingdom must unilaterally make adequacy decisions that confirm that the other party’s levels of protection of personal data are equivalent to their own. If that happens, transfers of personal data can be made without being subject to any other conditions.
In the case of the EU, it means certifying that British standards are equivalent to those established in the general data protection regulation, which regulates data transfers between commercial operators, and in the directive on data protection in the criminal field, for police and judicial cooperation.
The European Commission said in a statement that in recent months “it has carefully evaluated the law and practice of the United Kingdom regarding the protection of personal data, including the rules on access by public authorities.” Thus, it has concluded that the country “has a essentially equivalent level of protection to the one guaranteed under the general data protection regulation and, for the first time, the directive on data protection in criminal matters “.
For this reason, the Commission this Friday launched the procedure to declare the equivalence between British and Community standards. It did so by publishing two draft adequacy decisions for transfers of personal data to the United Kingdom, one under the general data protection regulation and the other for the directive on data protection in criminal matters. After the publication of these documents, it is necessary obtain an opinion from the European Data Protection Board, an independent community body, and receive the approval of the Member States.
A qualified majority of the countries (fifteen countries representing at least 65% of the EU population) must decide in favor for the decision to go ahead. Once this procedure is completed, the Commission may adopt the two adequacy decisions. Until then, data flows between the European Economic Area and the UK are governed by an interim regime included in the post-Brexit trade deal. This regime expires on June 30.
As a former Member State, EU law has shaped the UK’s data protection regime for decades, so the starting point between UK and 27 law is the same. At the same time, Brussels is aware that the UK is no longer bound by EU privacy rules. Therefore, once the equivalence decisions have been made, they will be valid for a period of four years.
After that time, the adequacy decision can be renewed if the UK’s level of protection remains equivalent to that of the European Union. “We intend to include in our adequacy decisions clear and strict mechanisms in terms of both supervision and review, suspension or withdrawal of such decisions, in order to address any problematic changes to the British system once the accommodation is granted, “stated Securities Commission Vice President Vera Jourova.
The draft adequacy decisions published today concern the flow of data from the EU to the UK. The UK has already decided that the Union ensures an adequate level of protection and that data can therefore flow freely from the UK to the 27. The British government welcomed the decision from Brussels in a statement and urged to conclude the approval process.
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.