The European Commission has the power to determine whether a third country has an adequate level of data protection. A adequacy decision means that personal data can be transferred from an EEA state to a third country without the need for another security arrangement. The adoption of a a decision on adequacy includes a proposal from the European Commission, an opinion from the European Data Protection Committee, the agreement of EU representatives and the adoption of the decision by the Commissioners. Secondly, the threat of not agreeing with the United Kingdom makes no sense, given that the United Kingdom has already challenged its compliance with the RGPD. With Brexit, the Data Protection Act will remain in force in 2018 and, in addition to the EU Withdrawal Act, the RGPD will be incorporated into UK law. And the Office of the Information Commissioner of the United Kingdom has been one of Europe`s leading data protection authorities. If the EU does not match the UK, few other nations will have a chance. As part of the two-year review of the EU`s general data protection regulation, the European Commission said it could „not predict” whether the UK, now a former EU member, would be able to reach an agreement on the adequacy of data transfers with the EU, on the grounds that the UK could adapt its national legislation to move away from the RGPD. The threat of making it harder for the UK to get involved in digital trade with the EU is wrong for three reasons. A recent letter from the Chairman of the European Data Protection Committee (EDPB) found that the EDPB also looked at the agreement between the United Kingdom and the United States on access to electronic data to combat serious forms of crime (hereafter referred to as the „agreement”). The agreement aims to enable law enforcement agencies in both countries to require access to electronic evidence, including personal data, held by competent companies based in the other country in order to prevent and prosecute serious offences. The regime should be parallel to the current system of mutual legal assistance, which has been criticized for its slowness and inefficiency.
In the United States, the bilateral agreement is implemented by the Clarifying Lawful Overseas Use of Data Act („CLOUD Act”). In this blog we will detail the situation of the United Kingdom and, in particular, how it can become an appropriate country. If no adequacy decision is taken, the other main options are to maintain the RGPD in UK national law under the EU Withdrawal Agreement, which provides for a transitional period until 31 December 2020. The UK government and the EU will use this transition period to negotiate a deal that could mean the UK Data Protection Act 2018 is considered „appropriate” by EU colleagues. If this adequacy decision is not successful, the UK will have to amend its legislation or risk violating EU law and face sanctions.