On June 28, 2021, the European Commission announced the adoption of two adequacy decisions that authorize personal data to be shared freely between the EU and the UK for the duration of up to four years. The adequacy decisions, one offered under the General Data Protection Regulation (GDPR) and the other under the Law Enforcement Directive, are intended to ensure that the EU-UK Trade and Cooperation Agreement, that dictates the preferred processes by which data is shared in areas such as trade and judicial matters, is correctly implemented.
This is the first time that an adequacy decision has contained a “sunset clause” that, in this case, strictly limits the duration of the privacy sharing framework to four years in order to protect against the possibility of future divergence from the current standards of care. The Commission intends to monitor the level of protection offered by the UK for all four years, promising to intervene if the protections deviate at any point. At the end of four years, the adoption process will start again and the level of data protection will be reevaluated before the framework will be renewed.
Under the new framework, the UK provides strong safeguards for the sharing of personal data with public authorities in the UK, making the collection of data by intelligence authorities subject to prior authorization from an independent judicial body. It is also essential to the framework that the UK remains subject to the jurisdiction of the European Court of Human Rights and adheres to the European Convention of Human Rights and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the only binding international treaty in the area of data protection. In addition, data transfers related to UK immigration control have been excluded from the framework; however, the Commission will reassess the exclusion of immigration data when recent litigation in the UK on this topic has concluded.