With seeming breakneck speed the EU Commission has published its draft decision regarding the adequacy of the UK under the GDPR following Brexit.
If approved and adopted the adequacy decision will allow for seamless transfer of personal data between the EEA and UK, which will be a positive note for many industries especially those in banking, e-commerce, and health, although it may add to the frustration of those in goods based sectors that have seen increasing border delays and tensions following Brexit.
Although the adequacy decision will be welcomed on all sides it is subject to review on a four year cycle. It will be interesting to see how this process interacts with the freedoms of the UK’s regulator, the Information Commissioner’s Office, to diverge in its application of the GDPR from other regulators in the EEA that are bound by a single enforcement regime and an obligation to find consensus when working on international matters.
With clarity now achieved on UK-and EEA interaction, focus must now be on greater clarity for the requirements of protection in relation to transatlantic data flows following the EU-US Privacy Shield being found invalid by the European Court in July of last year.
Next steps will be obtaining an opinion from the European Data Protection Board (EDPB) and then the green light from a committee composed of representatives of the EU Member States. If this is completed the Commission may proceed to adopt a final adequacy decisions for the UK.
The 88 page decision will make for interesting weekend reading, so watch out for a more detailed analysis next week.
Today, the Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation and the other for the Law Enforcement Directive.