The EU has granted the UK’s data protection system a pass for now.Paul MotionThis explains everything.
Two data “adequacy” decisions have been made by the European Commission for the UK. This resolves a major concern following Brexit. Personal data flowing from the UK into EU member states was considered to have flowed to countries with sufficient data protection. However, personal data flowing backwards from the EU to UK was not automatically treated as such.
At the end of June 2021, a transitional arrangement was to expire. Businesses were now facing significant upheaval if there had been no adjudication on adequacy. This included the possibility of having their contracts, website contact forms and privacy policies rewritten, as well as privacy notices, privacy notices and terms of business terms revoked.
While this is very encouraging, it should also be noted that the EU adequacy decision includes a sunset clause for the first time. The decision will automatically expire after four years. The situation in the UK will be monitored by the Commission during this time.
Vera Jourva is vice-president values and transparency. She stated: “We’re talking about fundamental rights of EU citizens that are protected by us.” We have strong safeguards in place and will take action if there is any change on the UK’s side.
Didier Reynders also stated that the commissioner for justice, said: “The Commission is closely monitoring the evolution of the UK system in the future. We have strengthened our decisions to allow this and for intervention if necessary.” Personal data protection is of paramount importance to the EU. It must be maintained when data are transferred overseas.
These observations are important for two reasons. First, in a Court of Appeal for England and Wales decision [The Open Rights Group & Anor v Secretary of State for The Home Department & Anor 2021] EWCA 800], certain exemptions relating data transfers for the purposes of UK immigration control were ruled to be incompatible with GDPR.
Second, last week, the government released the report of its Task Force on Innovation, Growth and Regulatory Reform. According to this author, the report contains several fundamental misconceptions about how GDPR works.
Data protection law was often confused with direct market regulation in several instances. The proposal to eliminate any human oversight requirement for automated decision-making (GDPR Article 22) and the overall thrust of the report which seems to place an emphasis on the commercialisation of data will have concerned the European Commission.
While the UK has marked up its data protection homework, we will still be waiting for our end-of-term report card.