Achieving Adequacy? European Commission Adopts UK Adequacy Decisions for Data Protection

The European Commission has carefully analyzed the law and practice of the United Kingdom (UK). Based on the findings the Commission concludes that the UK ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the UK. Additionally, the Commission concludes that the UK ensures an adequate level of protection for personal data transferred from competent authorities in the Union, falling within the scope of Directive (EU) 2016/680, to competent authorities in the UK falling within the scope of Part 3 of the Data Protection Act 2018 (DPA 2018).

en flag
nl flag
et flag
fi flag
fr flag
de flag
he flag
ja flag
lv flag
pl flag
pt flag
ru flag
es flag

Content Assessment: European Commission Adopts UK Adequacy Decisions for Data Protection

Information - 90%
Insight - 90%
Relevance - 95%
Objectivity - 95%
Authority - 100%

94%

Excellent

A short percentage-based assessment of the qualitative benefit of the recent post highlighting the European Commission adoption of UK data protection adequacy decisons.

Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.

To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.

Press Announcement

Data Protection: Commission Adopts Adequacy Decisions for the UK

The Commission has today [28 June 2021] adopted two adequacy decisions for the United Kingdom – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. The adequacy decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information, for example for cooperation on judicial matters. Both adequacy decisions include strong safeguards in case of future divergence such as a ‘sunset clause’, which limits the duration of adequacy to four years.

Věra Jourová, Vice-President for Values and Transparency, said: “The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today. At the same time, we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene”.

Didier Reynders, Commissioner for Justice, said: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”

Key elements of the adequacy decisions

  • The UK’s data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
  • With respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards. In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to what it intends to achieve. Any person who believes they have been the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal. The UK is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is the only binding international treaty in the area of data protection. These international commitments are an essential elements of the legal framework assessed in the two adequacy decisions.
  • For the first time, the adequacy decisions include a so-called ‘sunset clause’, which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection. During these four years, the Commission will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the Commission decide to renew the adequacy finding, the adoption process would start again.
  • Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. The Commission will reassess the need for this exclusion once the situation has been remedied under UK law.

Background

On 19 February, the Commission published two draft adequacy decisions and launched the procedure for their adoption. Over the past months, the Commission has carefully assessed the UK’s law and practice on personal data protection, including the rules on access to data by public authorities in the UK. The Commission has been in close contact with the European Data Protection Board, which gave its opinion on 13 April, the European Parliament and the Member States. Following this in-depth process, the European Commission requested the green light on the adequacy decisions from Member States’ representatives in the so-called comitology procedure. The adoption of the decisions today, following the agreement from Member States’ representatives, is the last step in the procedure. The two adequacy decisions enter into force today.

The EU-UK Trade and Cooperation Agreement (TCA) includes a commitment by the EU and UK to uphold high levels of data protection standards. The TCA also provides that any transfer of data to be carried out in the context of its implementation has to comply with the data protection requirements of the transferring party (for the EU, the requirements of the GDPR and the Law Enforcement Directive). The adoption of the two unilateral and autonomous adequacy decisions is an important element to ensure the proper application and functioning of the TCA. The TCA provides for a conditional interim regime under which data can flow freely from the EU to the UK.  This interim period expires on 30 June 2021.

Read the original announcement.


Decision on Adequate Protection of Personal Data by the UK – GDPR (PDF) – Mouseover to Scroll

Decision on the Adequate Protection of Personal Data by the United Kingdom – General Data Protection Regulation

Decision on Adequate Protection of Personal Data by the UK – Law Enforcement Directive (PDF) – Mouseover to Scroll

Decision on the Adequate Protection of Personal Data by the United Kingdom – Law Enforcement Directive

Review the data protection adequacy decisions from the European Commission.

Additional Reading

Source: ComplexDiscovery

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights cyber, data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

Joint Cybersecurity Advisory from the CISA, FBI, and NSA on BlackMatter Ransomware

This Joint Cybersecurity Advisory from the CISA, FBI, and NSA provides...

Keeping Secrets? Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021

According to a recently published report, the U.S. Treasury's Financial Crimes...

A Geographical Depiction: Ransomware Attacks in the United States Between 2018 and Today

Published by Comparitech, a pro-consumer website providing information, tools, reviews, and...

Recommendations for Mitigating the Risk of Software Vulnerabilities: NIST Secure Software Development Framework

This draft document from NIST on a proposed secure software development...

Consilio Completes Acquisition of Legal Consulting and eDiscovery Business Units of Special Counsel from Adecco

According to Andy Macdonald, CEO of Consilio, “Consilio’s acquisition of D4...

Cellebrite to Acquire Digital Clues

According to Cellebrite CEO Yossi Carmil, “We are pleased to announce...

iCONECT Acquires Ayfie Inspector Artificial Intelligence Codebase

According to Ian Campbell, CEO of iCONECT, “Direct access to the...

eDiscovery Mergers, Acquisitions, and Investments in Q3 2021

From Ipro and Disco to Nuix and Lighthouse, the following findings,...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on Cyber, Data, and Legal Discovery for September 2021

From countering ransomware to predictive coding and packaged services, the September...

Five Great Reads on Cyber, Data, and Legal Discovery for August 2021

From the interplay of digital forensics in eDiscovery to collecting online...

Five Great Reads on Cyber, Data, and Legal Discovery for July 2021

From considerations for cyber insurance and malware to eDiscovery business confidence...

Five Great Reads on eDiscovery for June 2021

From remediating cyberattacks to eDiscovery pricing, the June 2021 edition of...

Harvest Time? eDiscovery Operational Metrics in the Fall of 2021

In the fall of 2021, 67 eDiscovery Business Confidence Survey participants...

Unseasonably Hot? Fall 2021 eDiscovery Business Confidence Survey Results

Since January 2016, 2,595 individual responses to twenty-four quarterly eDiscovery Business...

More Keepers? Predictive Coding Technologies and Protocols Survey – Fall 2021 Results

From the most prevalent predictive coding platforms to the least commonly...

Glowing Expectations? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2021

In the summer of 2021, 63.3% of survey respondents felt that...