The European Commission has adopted two data adequacy decisions that will enable the free flow of data between the UK and the EU.
It has confirmed the move that it indicated in February with a recognition that the UK’s regulations on the use of personal data are in line with those of the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED).
The commission said both decisions include strong safeguards in case of future divergence, such as a ‘sunset clause’, which limits the duration of adequacy for four years.
Other key elements of the decisions are that: the UK system is based on the same rules as when it was a member state of the EU; collection of personal data by intelligence authorities is subject to prior authorisation by an independent judicial body; and transfers for the purposes of immigration control are excluded from the scope of the GDPR decision.
The latter results from a recent Court of Appeal judgement on the validity and interpretation of some restrictions on data protection rights related to immigration, and the commission will reassess the need for the exclusion after changes in the UK law.
The move has a relevance for the exchange of data between the two sides for data sharing in law enforcement and to the UK public sector in easing the way to the future of cloud services under which data resides in data centres in continental Europe or the Republic or Ireland. The issue has come up in discussions organised by UKAuthority for public sector digital leaders, who have cited it as a potential complication for the future use of cloud.
Essential to relationship
Didier Reynders, EU commissioner for justice, said: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime.
“The commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed.”
UK Secretary of State for Digital Oliver Dowden said: “After more than a year of constructive talks it is right the European Union has formally recognised the UK’s high data protection standards. This will be welcome news to businesses, support continued cooperation between the UK and the EU and help law enforcement authorities keep people safe.
“We will now focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people’s safety and privacy.”
Julian David, CEO of IT industry association techUK, commented: “The data adequacy decision also provides a basis for the UK and EU to work together on global routes for the free flow of data with trust, building on the G7 Digital and Technology declaration and possibly unlocking €2 trillion of growth.
“The UK must also now move to complete the development of its own international data transfer regime in order to allow companies in the UK not just to exchange data with the EU, but also to be able to access opportunities across the world.”
Image from iStock, mixmagic