Brussels has given an initial green light for personal data to continue to flow between the UK and the EU in the post-Brexit era.
The European Commission published a draft decision on Friday concluding that the UK’s data protection regime complies with the GDPR, the EU’s flagship data protection law.
The GDPR, which stands for General Data Protection Regulation, has become one of the most recognisable pieces of EU legislation.
Brussels is particularly keen on promoting and defending its implementation, both in and outside the bloc.
The law, which also applies in Iceland, Liechtenstein and Norway, has inspired numerous data protection laws around the world.
Article 45 of the GDPR grants the European Commission the power to assess whether non-EU countries ensure a level of data protection that is “essentially equivalent” to what GDPR offers to EU citizens
If the European Commission considers that the protection is “adequate”, transfers of personal data between the EU and that third country can take place without being subject to any extra conditions.
This is what Brussels recommends in the case of the United Kingdom.
The decision of the European Commission is not yet final: it now requires an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of national representatives.
In the meantime, data flows between the two continue to operate through an interim regime included in the EU-UK free trade deal signed last year. This regime expires on June 30.
“Ensuring [the] free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel,” said Věra Jourová, vice-President of the European Commission. “The UK has left the EU, but not the European privacy family.”
A tale of two GDPRs
Following Brexit, the UK is no longer bound by EU law. Before the country left the bloc, the British government hand-picked the European laws that it wanted to preserve – and those that it wished to do away with.
The GDPR was retained in UK’s domestic law via transposition, in what is now referred to as the “UK GDPR”. The provisions are virtually the same but, after Brexit, Westminster has the power to review them and change them.
With this possibility in mind, the draft decision of the European Commission introduces mechanisms to monitor and evaluate whether the UK regime remains equivalent to the EU’s.
“Such monitoring is particularly important in this case, as the United Kingdom will administer, apply and enforce a new data protection regime no longer subject to European Union law and which may be liable to evolve,” the text reads.
The first evaluation will come four years after the decision enters into force.
If the Commission considers that the UK’s data protection has worsened or deviated in comparison to the EU, it could subject EU-UK data flows to additional conditions or limit the scope of the transfers.
In a more extreme scenario, Brussels could suspend or repeal the equivalence decision altogether, although this seems highly unlikely given the similarities between both GDPRs and the broad support for data protection on both sides of the English Channel.