Formal adoption of the decisions under the EU General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED) allows personal data to flow freely from the EU and wider European Economic Area (EEA) to the UK.
The decisions mean that UK businesses and organisations can continue to receive personal data from the EU and EEA without having to put additional arrangements in place with European counterparts.
This free flow of personal data supports trade, innovation and investment, assists with law enforcement agencies tackling crime, and supports the delivery of critical public services sharing personal data as well as facilitating health and scientific research.
The UK, which now operates a fully independent data policy, has already recognised the EU and EEA member states as ‘adequate’, as part of its commitment to establish a smooth transition for the UK’s departure from the bloc.
The government plans to promote the free flow of personal data globally and across borders, including through ambitious new trade deals and through new data adequacy agreements with some of the fastest growing economies, while ensuring people’s data continues to be protected to a high standard.
All future decisions will be based on what maximises innovation and keeps up with evolving tech. As such, the government’s approach will seek to minimise burdens on organisations seeking to use data to tackle some of the most pressing global issues, including climate change and the prevention of disease.
“We have listened very carefully to the concerns” expressed by the European Parliament, in particular on the possibility of future divergence from our standards in the UK’s privacy framework,” said EC vp Vera Jourova, who played a big part in establishing the GDPR legislation, “we have significant safeguards and if anything changes on the UK side, we will intervene.”
The deal means that, for now, companies can ship data between the EU and the UK without violating EC privacy rules.
The deal cements an interim solution agreed in December to tide over the situation for the first six months after Brexit.
To address concerns the UK could in future deviate from the EU’s privacy protection rules, the agreement contains a sunset clause which requires a four yearly review of the workings of the data transfer process.