Data Protection Officers can now breathe a sigh of relief. Whether they exchange personal data with subsidiaries or branches in the UK, operate shared service centers for the corporate group, or collaborate with cloud and IT service providers who maintain data centers in the UK, data transfer remains the same despite Brexit. In a press release the EU Commission explained the following: Free data flow is possible because the level of protection in the United Kingdom is equivalent. To guarantee unimpaired trade, and to effectively fight crime, the commission has accepted two adequacy decisions: One as part of the General Data Protection Regulation (GDPR) and one as part of the directive for data protection in law enforcement.
EU monitors the development
However, in contrast to comparable decisions regarding other third-party states, the decisions contain an expiry clause for the first time: they expire after four years and will be renewed if the United Kingdom continues to maintain an appropriate level of data protection. At the same time, the Commission intends to closely monitor how the system develops in the UK and intervene, if necessary.
Strong guarantees if UK authorities access the data
The adequacy decisions are based on the United Kingdom fully adopting the principles, rights and obligations of the GDPR and the directive for data protection and law enforcement in the legal system that has applied since Brexit.
According to the EU Commission, another important element is the guarantees that the UK data protection system offers if authorities intend to access personal data: In particular, intelligence services would only obtain access if an independent legal body has approved this in advance. All measures must be necessary and appropriate with a view toward the objective pursued. Those who feel unjustly monitored, can submit a complaint to the Investigatory Powers Tribunal, the court for investigative authorizations. Furthermore, the UK is subject to the case law of the European Court for Human Rights, the European Convention of Human Rights and the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data, the only binding international convention concerning data protection.
The EU Parliament and the European Data Protection Board (EDPB) took a critical view of unimpaired data transfer without additional conditions such as no-spy agreements. Otherwise, personal data would not be able to be adequately protected against access by intelligence services as is the case in the USA.
Time was running out for the EU Commission. The provisional regulations for data transfer after Brexit expired at the end of June 2021.
Many companies are relieved. Without the adequacy decisions of the EU Commission, they would generally have had to comply with the EU standard contract clauses when transferring personal data to the United Kingdom after July 1, 2021. However, the Schrems II judgment from the European Court of Justice (CJEU) has created major barriers which involve extreme amounts of work for companies. Under some circumstances, the data transfer requires additional technical measures such as pseudomyzation or encryption.
However, the current situation may only prove to be an interim measure. Not only with a view toward the expiry date of the adequacy decisions and the intervention authority of the EU. The Schrems I and II judgments of the CJEU demonstrate that even bridges for data transfer once regarded as legally secure can crumble. This also applies to any complaints against the adequacy decisions. As such, companies need to keep an eye on the developments.