Privacy, Technology and Perspective
Britain Moves a Step Closer to “Adequate.” This week, the United Kingdom took another step forward towards smoothing out the privacy difficulties caused by Brexit, as the European Data Protection Board (EDPB) generally approved Britain’s mechanisms for protection of personal data as “adequate” under the EU’s General Data Protection Regulation (GDPR).
“Adequacy” under the GDPR
Put broadly, the GDPR restricts transfers of personal data outside the European Economic Area (EEA), or the protection of the GDPR, unless the rights of the individuals with respect of their personal data are protected in another way, or one of a limited number of exceptions applies. One manner of lawful transfer under the GDPR occurs when personal data is transferred to a country that has received an “adequacy decision” by the European Commission.
The adoption of an adequacy decision involves a long process, which includes a proposal from the European Commission, an opinion of the EDPB, an approval from representatives of EU countries, and finally, the adoption of the decision by the European Commission.
In order to be deemed “adequate,” the country being considered for an adequacy decision must provide data subjects with certain rights to see information about themselves (including the right to correct or erase it if appropriate), and comprehensive procedural and enforcement mechanisms, including a competent independent authority, a data privacy system which ensures a good level of compliance, and support and help for data subjects in exercising their rights and obtaining redress.
“Adequacy” involves particular attention to restrictions on collecting and using personal data for law enforcement purposes – a long-standing sore point between the EU and the United States.
This Week’s Opinion
While not a surprise – or perhaps even much of a nail-biter – the EDPB’s opinion brings a level of relief.
The decision comes in the form of a detailed, explanatory Opinion, 49 densely-packed pages in length, describing the standards and procedural history and analyzing in detail Britain’s data-protection regime. Pointedly, nearly half of the Opinion is devoted to criminal surveillance and law-enforcement issues.
Generally, the Opinion approves the United Kingdom’s data-protection regime as “Adequate” – hardly a startling surprise as Britain had already been complying with the GDPR before Brexit. But the Opinion does urge the European Commission to keep a vigilant eye on the UK lest it evolve further policies or practices which stray from GDPR standards, particularly in such areas as immigrant policy, onward transfers from the UK to other countries (especially the US), and ever-present law enforcement procedures.
For the complete text of the Opinion, click on the following link:
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.