The EU Commission has finally confirmed that data transfers may continue between the EU and UK. I previewed this in February but it issued the actual decision (PDF) only just before the deadline. This is the mechanism by which it formally says that UK law protects personal data in line with GDPR.
The decision analyses the Data Protection Act 2018 and its adherence to the principles of GDPR. It notes, in particular, the importance of ensuring the protection of EU data to third countries via the UK.
The Commission also examined at length the impact of the Investigatory Powers Act 2016. This Act grants powers to intercept and retain communications data, including on a bulk basis. The Commission comments that this legislation has better safeguards than the previous one scrutinised by the CJEU. Remember, it was the bulk collection of data that led to Safe Harbour and Privacy Shield unravelling at the CJEU. So, while the Commission might be content, that doesn’t preclude a challenge by privacy advocates.
The decision acknowledges the UK might deviate from GDPR in the future. After all, Brexit means the UK could, in theory disapply EU laws. Not surprisingly the Commission has said it will continuously monitor the situation and the decision will expire after 4 years in any event.
This last minute brinksmanship favoured by the UK and EU is making it difficult to plan. But businesses can breathe a collective sigh of relief: data can flow to and from the EU & UK without the need, for example, to use the Commission’s all new standard contractual clauses.
If you need advice, contact me firstname.lastname@example.org or +44 (0) 20 7611 2338.