The EU Commission on Monday adopted two adequacy decisions, recognizing the level of protection of the United Kingdom’s data protection laws as “essentially equivalent” with EU laws. This decision will allow the EU to UK data flow to continue even after Brexit.
In mid-February of this year, the Commission published two draft adequacy decisions and began the in-depth procedure process towards their adoption. One of the adequacy decisions included the General Data Protection Regulation (“GDPR”), a strict privacy reform, and the other for the Law Enforcement Directive (“LED”), an older law on the processing of data connected with criminal offenses.
The procedure process included the “Commission carefully analyzing the law and practice of the United Kingdom”, covering the restrictions on the transfer of personal data to a third country, and obtaining an opinion from the European Data Protection Board.
This decision now brings the long procedure process to an end. The Commission concluded that EU citizens’ personal information will be treated with the same level of protection as it would inside the bloc when transferred to the UK. “The United Kingdom ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom.”
But, the decision included a “sunset clause’, which strictly limited the duration of the decision. Per the clause, the decisions will automatically expire and be up for review four years after their entry into force. “The adequacy regulations must be reviewed at intervals of not more than four years.” At review, the UK must show they have “ensured an adequate level of protection of personal data” in order for further renewal.