All EU Member States have agreed on two adequacy decisions. Companies operating in Europe can transfer personal data and other data of European citizens to the UK. This means that member states are convinced that the British have in place sufficient safeguards to protect the personal and privacy-sensitive data of Europeans. The opponents think otherwise.

What writes Network policy, a site that reports on topics related to digital freedoms and openness. .

Brexit makes it difficult to exchange data with the United Kingdom

As of December 31, 2020, the United Kingdom is no longer officially part of the European Union. Since then, the British are no longer required to comply with European laws and regulations, such as the General Data Protection Regulation (GDPR). However, it is in the UK’s interest to commit to European privacy standards. If they don’t, it will be virtually impossible for British companies to do business with continental Europe.

To avoid that, the UK copied several privacy laws in April, namely the GDPR and the Police and Justice Directive. At the same time, the European Commission drew up two adequacy decisions to allow the exchange of personal data from Europe to the UK. An adequacy decision is a decision in which the EU executive board determines that a country has an adequate level of personal data protection. This means that there are no objections to companies operating in EU Member States transferring personal data to the UK.

Member States give the green light to data exchange

The adequacy decisions had yet to be approved by the EU member states. The debate on this has already taken place. Member states unanimously approved the decisions, writes Netzpolitik. This removes all barriers to data exchange with the UK.

Since the separation between the UK and the EU, the exchange of personal and other data has become a legally complex story. In the Brexit agreement it was agreed that nothing would change in this area once the agreements entered into force. This transition period could be extended to six months, but both the EU and the UK had to agree.

To regulate the exchange of data after July 1, the European Commission had to make an adequacy decision at the end of June. If the day-to-day management of the EU did not do this, the UK was considered a non-EU country from that date. In that case, the data should only be exchanged if the UK has an adequate level of protection. Now that the EU Member States have agreed on the adequacy decisions, this is no longer a problem.

Opponents fear mass surveillance by the British

Privacy activists and MEPs have raised concerns about the decision to allow data sharing with the UK. In the context of national security and immigration control, the British government gives the intelligence and security services GCHQ and MI6 a lot of space to provide access to privacy-sensitive data. Nor are there enough independent courts to oversee the way services operate.

Therefore, opponents fear that intelligence and law enforcement agencies have unlimited access to confidential data. The European Data Protection Board (EDPB) faced similar criticism when the European Commission presented the draft proposals for the adequacy decisions. The European Court of Justice and the European Court of Human Rights also recently ruled against the surveillance practices of GCHQ and MI6. The courts ruled that the intelligence practices of the British services constituted a violation of human rights.

Finally, privacy activists see parallels with the Privacy Shield. In this agreement, agreements were established on the exchange and storage of privacy-sensitive data of EU citizens and non-EU countries. In July 2020, the Court of Justice of the European Communities canceled this treaty. The judge opined that Americans do not offer the same level of protection that we offer here in Europe. The GDPR requires companies on the other side of the ocean to take storage and security measures equivalent to those in the EU. This is also known as the principle of proportionality. The Court found that the Privacy Shield did not guarantee this and was therefore declared invalid with immediate effect. Opponents believe that this is also the case for adequacy decisions taken by Member States.

Update (June 28, 2021): the European Commission confirms in a press statement that agreements on the exchange of personal data have been concluded between Europe and the United Kingdom. The protection of this data is of the same level in the United Kingdom as in the European continent. “After months of careful deliberation, today we can offer EU citizens the assurance that their personal data will be protected when transferred to the UK,” said Didier Reynders, European Commissioner for Justice.

“This is an essential part of our new relationship with the UK. It is important for smooth trading and effective crime fighting. The Commission is closely monitoring how the UK system develops in the future and we have strengthened our decisions to allow this and intervene if necessary. The EU has the highest personal data protection standards and these should not be compromised when personal data is transferred abroad. “