Teaming up with... AVIVA

Welcome to the UKGI weekly regulation update service for Aviva ABC brokers

We hope you find the Updates useful. If you are
interested in subscribing to our affordable
ABC compliance support package, please
email us at ABC@ukgigroup.com or
call UKGI on our dedicated ABC
contact line 01925 767893.

ICO statement in response to the EU Commission’s announcement on the approval of the UK’s data protection adequacy

Jul 1, 2021 | ICO

Link(s):Data protection: draft UK adequacy decision
ICO statement in response to the EU Commission’s announcement on the approval of the UK’s adequacy
EU adopts ‘adequacy’ decisions allowing data to continue flowing freely to the UK

Context

In our weekly update last week we explained that it was reported in industry press that European Union member states had agreed that British standards for the protection of personal data are sufficiently high that such information can continue to flow between the EU and the UK. On 28th June, the EU Commission announced that two adequacy decisions had been granted.

Background

On 19th February, the EU Commission published two draft adequacy decisions in favour of the UK in relation to the continuing free movement of data between the EU and the UK; the EU Commission, at the same time, launched the procedure for their adoption. Over the past months the Commission has carefully assessed the UK’s law and practice on personal data protection, including the rules on access to data by public authorities in the UK. 

The Commission has been in close contact with the European Data Protection Board (which gave its opinion on 13th April), the European Parliament and the Member States. Following this in-depth process, the European Commission requested the green light on the adequacy decisions from Member States’ representatives. EU Member States were given a short timescale by the EU Commission to review and approve the draft adequacy decisions so they could be formalised.

The adoption of the decisions on 28th June, following the agreement from Member States’ representatives, is the last step in the procedure. The two adequacy decisions came into force from Monday 28th June – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive.

Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. The adequacy decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information. Both adequacy decisions include strong safeguards in case of future divergence such as a ‘sunset clause’, which limits the duration of adequacy to four years. 

After Brexit, when the UK’s ‘adequacy’ was previously guaranteed by the fact that the UK was either in the EU or in the Transition Period and was therefore subject to the EU GDPR, transitional data sharing arrangements were agreed alongside the EU-UK Trade and Cooperation Agreement (TCA) reached in late 2020.

Key points to note

  • Both adequacy decisions include strong safeguards in case of future divergence such as a ‘sunset clause’, which limits the duration of adequacy to four years. 
  • The EU has determined the UK’s data protection laws to be robust enough to ensure data can safely flow to the UK from the EU (and EEA).
  • The UK’s data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
  • The Information Commissioner, Elizabeth Denham, stated “Approved adequacy means that businesses can continue to receive data from the EU without having to make any changes to their data protection practices”.

Next actions

None – for information and awareness