After Brexit there have been numerous doubts regarding the data protection system in the United Kingdom: in fact, since it is no longer part of the European Union starting from January 2021, it was necessary to find an agreement between the parties, so that there was a free data flow from EU to UK.
Data flow from EU to UK: the agreement
On 28th June 2021, the European Commission finally announced the agreement between the two shores of the English Channel. Two adequacy decisions were adopted, one about the General Data Protection Regulation (GDPR) ) and the other for the Directive on law enforcement.
The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal framework. Its data protection system has not changed, since it was a Member State and therefore remains equivalent to the current one guaranteed in Europe.
Data flow from EU to UK: guarantees
Access to personal data by public authorities in the UK no longer raises particular concerns. In fact, solid guarantees have been provided:
- their data collection will be subject to prior authorization from an independent judicial body
- any measure must be necessary and proportionate to what is intended.
In addition, the UK must adhere to the European Convention on Human Rights, as well as the Council of Europe Convention for the protection of individuals, with regard to the automated processing of personal data. The latter is the only binding international data protection treaty.
Data flow from EU to UK: the sunset clause
A novelty consists in the introduction of the so-called ‘sunset clause’ incorporated in the adequacy decisions: the latter will have a limited duration of four years from their entry into force. Upon expiry, they may be renewed, as long as the UK continues to ensure an adequate level of data protection and security. During the period of validity, the European Commission will in any case continue to monitor the legal situation of the United Kingdom and, in the event of deviations, it may intervene at any time.
The full implementation of the GDPR and the solid guarantees placed on adequacy decisions in the event of future divergences, guarantee full freedom of data circulation between the EU and the UK.