UK data protection law – reformed in 2018 to align with the EU General Data Protection Regulation – is sufficiently stringent to allow exchanges of personal data with the EU to continue, the European Commission has said in a long-awaited decision. A draft ‘adequacy’ ruling announced today was welcomed by the government, which described it as ‘logical’.
The decision has been a nearly year in the making: the UK formally provided the commission with explanatory material in March 2020. Following the end of the Brexit transition period, exchanges of personal data with the EU have been allowed by a bridging agreement due to expire in June.
The UK has already recognised the EU and EEA member states as ‘adequate’ for data protection.
In a statement, the Department for Culture, Media and Sport said the UK ‘made its representations to the EU in a timely manner but the commission did not finalise draft decisions in time to complete the adoption process by the end of the transition period’. It urged the EU to ‘swiftly complete the technical process for adopting and formalising these adequacy decisions as early as possible’.
Today’s decision is subject to a ‘non-binding opinion’ from the European Data Protection Board and formal approval by EU member states.
Oliver Dowden MP, secretary of state for digital, said: ‘Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework.
‘I now urge the EU to fulfil their commitment to complete the technical approval process promptly, so businesses and organisations on both sides can seize the clear benefits.’