All EU Member States have agreed to two adequacy decisions. Companies operating in Europe are allowed to transfer personal data and other data of European citizens to the United Kingdom.
This means that the member states are convinced that the British have built insufficient safeguards to protect the personal and privacy-sensitive data of Europeans. Opponents think otherwise.
That writes Netzpolitik, a site that reports on matters related to digital freedoms and openness. .
Brexit makes data exchange with the United Kingdom more difficult
As of December 31, 2020, the United Kingdom is officially no longer part of the European Union. Since then, the British are no longer obliged to comply with European laws and regulations, such as the General Data Protection Regulation (GDPR). However, it is in the UK’s interest to commit to European privacy rules. If they don’t, it will be virtually impossible for British companies to do business with the European mainland.
To prevent that, the UK copied several privacy laws in April, namely the GDPR and the Police and Justice Directive. At the same time, the European Commission drafted two adequacy decisions to allow the exchange of personal data from Europe to the United Kingdom. An adequacy decision is a decision in which the executive board of the EU determines that a country has an adequate level of protection for personal data. This means that there are no objections for companies operating in the EU Member States to transfer personal data to the United Kingdom.
Member States give green light to data exchange
The adequacy decisions still had to be approved by the EU member states. The debate on this has already taken place. The member states unanimously approved the decisions, Netzpolitik writes. This removes all barriers to exchanging data with the United Kingdom.
Since the separation between the United Kingdom and the EU, the exchange of personal and other data has become a legally complex story. It was agreed in the Brexit deal that nothing would change in this area after the agreements came into effect. This transition period could be extended to six months, but both the EU and the United Kingdom had to agree.
In order to regulate the data exchange after 1 July, the European Commission had to take an adequacy decision by the end of June. If the day-to-day management of the EU did not do this, the United Kingdom was regarded as a country outside the EU from that date. In that case, data should only be exchanged if the United Kingdom had an adequate level of protection. Now that the EU Member States have agreed to the adequacy decisions, this is no longer an issue.
Opponents afraid of mass surveillance by the British
Privacy activists and MEPs have expressed concerns about the decision to allow data sharing with the United Kingdom. In the context of national security and immigration control, the British government gives ample scope to the intelligence and security services GCHQ and MI6 to provide access to privacy-sensitive data. There are also not enough independent courts that supervise the way the services work.
Opponents, therefore, fear that the enforcement and intelligence agencies have unrestrained access to confidential data. The European Data Protection Board (EDPB) faced similar criticism when the European Commission presented the draft proposals of the adequacy decisions. The European Court of Justice and the European Court of Human Rights also recently ruled against the surveillance practices of GCHQ and MI6. The courts ruled that the intelligence practices of the British services were a violation of human rights.
Finally, privacy activists see parallels with the Privacy Shield. Agreements were made in it about the exchange and storage of privacy-sensitive data of EU citizens and non-EU countries. In July 2020, the European Court of Justice cancelled this treaty. The judge was of the opinion that the Americans do not offer the same level of protection as we do here in Europe. The GDPR demands that companies on the other side of the ocean take equivalent storage and security measures as in the EU. This is also known as the proportionality principle. The Court held that the Privacy Shield did not guarantee this and was therefore declared invalid with immediate effect. Opponents believe that this is also the case with the adequacy decisions adopted by the Member States.
Catch up on more articles here
Follow us on Twitter here