Following Brexit, the United Kingdom became a third country under the EU General Data Protection Regulation (GDPR). As a result, transfers of personal data from the EU to the UK are allowed only if the level of data protection in the UK is equivalent to that of the EU. The European Commission can confirm the level of data protection with an adequacy decision under the GDPR. But whether this will happen in time for the UK and whether courts will challenge the UK’s data adequacy status is uncertain.
Draft adequacy decision
On 19 February 2021, the European Commission launched the process towards the adoption of an adequacy decision for transfers of personal data to the United Kingdom. In addition, the Commission provided information on the next steps and published a draft adequacy decision. The European Data Protection Board will issue an opinion next and the Commission’s decision must be approved and adopted by Member States.
The development is to be welcomed, but the European Court of Justice (ECJ) “Schrems II” decision of July 2020 may impact the outcome. The decision could be called into question and courts may challenge the UK’s data adequacy status in the future.
The ECJ confirmed that the indiscriminate access to and retention of traffic and location data by UK intelligence services was unlawful (judgment on 6 October 2020, C-623/17). Therefore, even if an adequacy decision is adopted, it could still be subsequently overturned by the ECJ.
It appears that this is yet another extension of the Brexit transition period and the Brexit deal. Companies transferring data between the EU and the UK should think carefully about this and about putting into place alternative data protection safeguards.
Prepared for all Brexit contingencies?
Get your expert data protection advice now!