The Brexit has a significant impact on personal data protection. Initially, the agreement signed between the EU and the UK allowed for an adequacy to the GDPR, an agreement valid until December 31, 2020. This agreement was then extended until July¹, 2021, by the EU Commission, which on February 19, 2021, declared itself in favor of a four-year adequacy decision. However, this decision is not yet finalized, the drafts are available here. If this agreement is not finalized before July¹, the use of standard contractual clauses (SCC) between the EU and the UK will remain necessary.

What decisions have been made?

On April 13, the European Data Protection Committee (EDPS) issued two opinions on the UK's draft adequacy decisions, raising significant concerns about the documents.

On May 11, MEPs, via the European Parliament's Civil Liberties Committee, called on the Commission to move forward more quickly on the UK adequacy decision, insisting on the resolution of key sticking points. The UK's data protection laws are similar to the GDPR, however, MEPs asked questions about their application and exemptions. These questions, in line with recent concerns of the EDPS (European Data Protection Committee), cover a number of different issues.

Immigration: affecting the rights of EU citizens wishing to settle or remain resident in the UK, with no judicial oversight of the management of data processed in this context.
National security and data processed by law enforcement: with the UK state having broad powers in this area, this needs to be addressed in the forthcoming adequacy decision. MEPs are concerned about the huge amounts of data shared between the UK intelligence agencies themselves, as well as with their US counterparts (NSA, CIA, etc). As a result, MEPs are calling for non-spying agreements between the EU and the UK to remove these pitfalls.

Third countries and onward transfers

MEPs expressed concern about further data transfers. Indeed, the United Kingdom has signed data sharing agreements with countries that are not adequate to the RGPD, such as the United States, or agreements in the framework of partnerships that would allow, in the event of an overly permissive adequacy decision, transfers from the EU to the United States, and thus to countries that are not adequate to the RGPD but have agreements with the United States.

Recently, the United Kingdom applied to join the Trans-Pacific Free Trade Agreement (CPTPP, formerly TPP), which includes the United States, Canada, Mexico, Chile, Peru, Japan, Malaysia, Vietnam, Singapore, Brunei, Australia and New Zealand, some of which are declared non-RGPD compliant by the EU Commission. Several of its members are not considered adequate in terms of personal data protection.

The concerns of MEPs and the EDPS are unlikely to be of much weight in the face of the heavy economic consequences of blocking data transfers (estimated at 8 billion euros) and political consequences, with the United Kingdom forging major international partnerships since its regained independence from the EU. This observation can be replicated regarding personal data transfers between the EU and the United States, with a new Privacy Shield to come, the subject of one of our previous articles, which will undoubtedly adapt to the huge economic stakes involved. The RGPD should follow the same logic, the will to submit the practices of international intelligence agencies to its rules being of the order of utopia.