Currently, transfers of personal data from controllers or processors in the EEA to the UK are protected on a transitional basis only. This transitional protection will last until 30 June 2021 under December's post-Brexit Trade and Cooperation Agreement. However, the situation after that is uncertain.
The EU Commission has now published draft adequacy decisions for transfers of personal data to the United Kingdom, under both the GDPR and the Law Enforcement Directive. This is welcome news, as it will provide a greater degree of certainty for organisations who rely on cross-border data flows, and particular those of in data-rich sectors.
As might be expected, the documents include extensive discussion of the investigatory powers of the UK intelligence agencies, set out in the Investigatory Powers Act 2016, the Regulation of Investigatory Powers Act 2000, etc). The draft decisions conclude that there are sufficient controls, oversight mechanisms and redress measures in the UK system to meet the “essentially equivalent” standard.
Before the decisions can be finalised and adopted there will need to be an opinion from the European Data Protection Board (EDPB) and approval from EU member state representatives.
Once adopted, the decisions will be valid for four years, with the possibility of renewal thereafter. Hopefully roll-over will be straightforward. However, there will be ongoing monitoring, and the decisions can be amended or repealed if the level of protection in the UK system is reduced and action not taken to to restore it.
The EU Commission's press release indicates that continued adherence to the European Convention of Human Rights and to “Convention 108” of the Council of Europe serve to demonstrate that the UK remains a member of the European “privacy family”, and that this is of particular importance for the stability and durability of the proposed adequacy findings.
The transitional protection provided by the Trade and Cooperation Agreement will fall away once the draft adequacy decisions are finalised.