On 28th June 2021, the European Commission has adopted two adequacy decisions for the UK; one regarding the General Data Protection Regulation (GDPR) and the other one relating to the Law Enforcement Directive. This means that for the coming four years, there is a basis to freely exchange personal information between the EU and the UK, with the guarantee that the data will receive an equal level of protection as under EU law. The adequacy decisions also contribute to the correct implementation of the EU-UK Trade and Cooperation Agreement.
Key highlights of the adequacy decisions:
- The UK has fully incorporated the obligations, rights and principles of both the GDPR and the Law Enforcement Directive into its legal system; the UK's data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU.
- With respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards. In addition, the UK is subject to the authority of the following bodies/conventions: European Court of Human Rights, European Convention of Human Rights and Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. These international commitments are the essential parts of the legal framework in the two adequacy decisions.
- The adequacy decisions include a ‘sunset clause,’ limiting the duration of the decisions to four years. After that, the adequacy findings could be renewed, if the UK continues to guarantee the right level of data protection. In the meantime, the Commission will monitor the legal situation in the UK and it reserves the right to intervene at any point, if the UK deviates from the current high level of data protection.
Currently it is investigated what these decisions entail for the exchange of vehicle and driving licences data via EUCARIS.