The European Commission has said that data can now flow freely between the EU and UK, after deciding that the UK would give the personal information of EU citizens the same level of protection as that guaranteed under EU law.
It has adopted two ‘adequacy decisions’ — one under the EU’s General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. Both have ‘sunset clauses’, meaning they expire after four years.
They could then be renewed — but only if the EU is satisfied that the UK will continue to ensure an adequate level of data protection.
Commissioner Věra Jourová said that, although the UK had left the EU, its legal regime for protecting personal data remained unchanged.
She added, however, that the commission had listened carefully to concerns expressed by the European Parliament and some member states about the possibility of future divergence from EU standards in the UK.
“This is why we have significant safeguards and, if anything changes on the UK side, we will intervene,” she said.
Didier Reynders (Commissioner for Justice) said that the commission would be closely monitoring how the UK system evolved in the future, and would intervene if necessary.
The commission said that the UK had fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
It added that the UK provided “strong safeguards” on access to personal data by public authorities, particularly the collection of data by intelligence authorities.