- Today’s draft decisions follow months of discussions and pave the way for continued free flow of data between the EU and the UK
- The UK now urges the EU to fulfil its declared commitment to complete the technical approval process swiftly, so that we have final data adequacy decisions as soon as possible
- This will provide certainty for businesses, enable continued cooperation between the UK and the EU, and will ensure law enforcement authorities can keep our citizens safe
The U.K. government welcomes the European Commission’s draft data adequacy decisions, which recognise the UK’s high data protection standards and set out that the UK should be found ‘adequate’.
The UK has a world-class data protection system, currently the same as the European Union’s, so it is logical that the Commission should find the UK ‘adequate’.
The EU already recognises other countries around the world as adequate including Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay – and the UK freely exchanges data with these countries.
Positive data adequacy decisions under both the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) would allow for personal data to continue to flow freely from the European Union (EU) and wider European Economic Area (EEA) to the UK.
Seamless international data flows are essential in a hyper-connected world. They underpin the exchange of information and ideas supporting trade, innovation and investment, assist with law enforcement agencies tackling crime, and support the delivery of critical public services sharing personal data as well as facilitating health and scientific research.
Technical confirmation of the draft adequacy decisions will help make sure UK businesses and organisations in everything from logistics to legal services, healthcare to human resources, can continue to receive personal data from the EU and EEA without additional compliance costs. This ensures they will avoid potential knock-on effects for consumers and boost UK startups and smaller firms which operate in EU markets and sell to EU customers.
The UK formally provided the Commission with comprehensive explanatory material nearly a year ago at the start of the adequacy assessment in March 2020. The UK has already recognised the EU and EEA member states as ‘adequate’, as part of its commitment to establish a smooth transition for the UK’s departure from the bloc and manage data flows on an objective basis.
Since then, UK officials led by the Department for Digital, Culture, Media and Sport (DCMS) have held a series of discussions with their European Commission counterparts to reiterate carefully and fully the UK’s legal and regulatory framework and demonstrate beyond doubt that the UK clearly meets the EU’s data adequacy requirements.
The draft decisions published today by the Commission will now be shared with the European Data Protection Board for a ‘non-binding opinion’, before being presented to EU member states for formal approval.
The UK made its representations to the EU in a timely manner but the Commission did not finalise draft decisions in time to complete the adoption process by the end of the transition period. For this reason, as part of the UK/EU Trade and Cooperation Agreement, a time-limited ‘bridging mechanism’ for personal data flows was agreed. This currently allows personal data to continue to flow as it did before the end of the Brexit transition period for up to six months, while the EU completes the adequacy process.
The UK government now urges the EU to swiftly complete this technical process for adopting and formalising these adequacy decisions as early as possible.
Secretary of State for Digital Oliver Dowden:
I welcome the publication of these draft decisions which rightly reflect the UK’s commitment to high data protection standards and pave the way for their formal approval.
Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework.
I now urge the EU to fulfil their commitment to complete the technical approval process promptly, so businesses and organisations on both sides can seize the clear benefits.
Julian David CEO of techUK said:
The European Commission’s decisions that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR reflects the UK’s high data protection standards.
Today’s decision is warmly welcomed by the tech sector which has been making clear the importance of a mutual data adequacy agreement since the day after the referendum.
Receiving data adequacy, alongside the EU-UK Trade and Cooperation Agreement, will set a solid foundation for digital trade with the EU, including strong non-discrimination clauses and positive data flows provisions, that will give businesses the confidence to invest.
- The ‘bridging mechanism’ will remain in place until June 30 or until the adequacy decisions come into effect, whichever is sooner.
- The UK has a long and proud tradition of defending privacy rights. In the 1970s, the UK developed pioneering committees to explore the protection of personal data, and in 1981 the UK was one of the first to sign Council of Europe Convention 108. More recently, the UK played an active role in developing the GDPR and LED. The UK Government will continue to promote high data protection standards.