Currently, transfers of personal data from the EEA to the UK are protected on a transitional basis only until 30 June 2021 under last December's post-Brexit Trade and Cooperation Agreement. However, the situation after that is currently uncertain.
The EU Commission has now published draft adequacy decisions for transfers of personal data to the United Kingdom, under both the GDPR and the Law Enforcement Directive. This is welcome news, as it will provide a greater degree of certainty for organisations who rely on cross-border data flows, and particular those of in data-rich sectors.
As might be expected, there is extensive discussion of the investigatory powers of the UK intelligence agencies, set out in the Investigatory Powers Act 2016, the Regulation of Investigatory Powers Act 2000, etc). The draft decisions conclude that there are sufficient controls, oversight mechanisms and redress measures in the UK system to meet the “essentially equivalent” standard.
Before these decisions can be adopted there will need to be an opinion from the European Data Protection Board (EDPB) and approval from EU member state representatives.
Once adopted, the decisions will be valid for four years, with the possibility of renewal thereafter. Hopefully roll-over will be straightforward. However, there will be ongoing monitoring, and the decisions can be amended or repealed if the level of protection in the UK system is reduced and action not taken to to restore it. Adequacy decisions can also be subject to legal challenge, as shown in the Schrems II decision.
The EU Commission's press release indicates that continued adherence to the European Convention of Human Rights and to “Convention 108” of the Council of Europe serve to demonstrate that the UK remains a member of the European “privacy family”, and that this is of particular importance for the stability and durability of the proposed adequacy findings.
The transitional protection will fall away once the draft adequacy decisions are finalised.