The Dutch Data Protection Commission believes that personal data is well protected in the United Kingdom even after Brexit. At the same time, he worries and fears that data from Europeans will be transferred from the UK to less regulated countries. The European Data Protection Board (ETPP), the umbrella body for all national regulators, calls on the European Commission to act.
This is clear from two comments released by the ETPP this week Dutch Data Protection Authority In a press release.
Properly organized personal data protection in the United Kingdom
The United Kingdom left the EU permanently on 31 December 2020. Since then, the country is no longer governed by the Public Data Protection Regulation (GDPR) and other European privacy laws. Therefore European companies should not send personal data of Europeans to companies in the UK.
Nevertheless, their personal data is well protected if European citizens are transferred to the United Kingdom, writes the Dutch Data Protection Commission. This is because the UK has copied European privacy laws: the GDPR and the Police and Justice Order. Therefore, the data protection system in the UK is very similar to that of the EU.
The European Commission makes two adequate decisions
At the same time, the EDPB is concerned. The umbrella organization fears that data security will be used by the United Kingdom as an incentive to transfer the personal data of European citizens to less vulnerable countries. Like the United States. EDPB has asked the European Commission for clarification on the matter.
The European Commission has called for two sufficient decisions to allow the transfer of personal data to the United Kingdom. An adequate decision is a decision of the EU Executive Committee to determine if a country has the appropriate level of protection for personal data. This means that companies operating in EU member states have no objection to the transfer of personal data to the UK.
No decision has been made yet
Adequate decisions of the European Commission apply for a period of four years. If the UK decides to take interim measures to reduce the level of protection of European citizens, the Commission cannot intervene. EDPB requests the European Commission to make interim changes if necessary.
The Dutch Data Protection Commission says the European Commission is forced to consult the EDPB on adequate decisions. However, there is no compulsion to follow these suggestions. It is not known when the European Commission will decide whether to make adequate decisions or whether European companies can transfer personal data to companies in the UK.
For example, personal data transfer is scheduled after July 1st
At this time, the English are benefiting from an interim arrangement for the release of personal data. This means that ‘old’ and well-known European privacy rules are in effect. This period runs until the end of April. The transition period could be extended for another two months, but would require EU and UK approval.
The Dutch Data Protection Commission recently wrote about how the transfer of personal data to the UK will be arranged after July 1, 2021. In essence, the UK would be considered a non-EU country if the European Commission did not make a sufficient decision by the end of June. Personal data can only be exchanged if the country in question has ‘adequate security’. You can read about this in our article ‘For example, personal data transfer is regulated in the Brexit Agreement’.