As of yesterday, French companies no longer need to regulate the flow of personal data to the United Kingdom by means of the appropriate safeguards provided for by the GDPR for transfers to third countries. Indeed, the European Union has just reached an agreement with London, for a period of at least 4 years.
The UK and the EU have therefore agreed on the application of the General Data Protection Regulation (GDPR) after 1 July 2021. The two adequacy decisions have just been published and adopted for a period of 4 years.
With this adequacy decision, the European Commission has concluded that "the UK has fully integrated the principles, rights and obligations of the GDPR and the Directive on data protection in law enforcement into its post-Brexit legal system".
These agreements represent a major step forward both procedurally and financially for all UK businesses that process EU citizens' data and will therefore not need to take any additional steps to ensure that this information is properly protected.
What about the UK-US agreement?
It should be recalled that this adequacy decision was very far from being a foregone conclusion, mainly due to EU and civil society concerns about the UK's surveillance regime and its membership of the "Five Eyes" military intelligence alliance with Australia, Canada, New Zealand and the US.
The signing of a cooperation agreement between the UK and the US in October 2019 remains one of the European Commission's main concerns.
The agreement, which is part of the CLOUD Act, provides for law enforcement authorities to request electronic evidence directly from a cloud service provider without going through the procedures of mutual legal assistance treaties for offences punishable by a maximum term of imprisonment of at least three years. With the invalidation of the Privacy Shield, this agreement would therefore not be in compliance with the GDPR.
In this regard, the UK authorities explained that the details of the concrete implementation of the data protection safeguards are still under discussion between the UK and the US. The agreement will only enter into force if "its implementation complies with the legal obligations set out in the agreement".
The UK is therefore required to provide Brussels with information on "how the US will comply with its obligations under the agreement".
UK-US cooperation agreement continues to raise concerns, Cloud Act obliges "
The adoption of these texts does not, therefore, put an end to certain questions or to fears about possible divergences between the UK data protection framework and the EU, with regard to the cooperation agreement between the UK and the US. For this reason, these adequacy decisions are only valid for 4 years.
This adequacy decision also includes, for the first time, a so-called "automatic deletion" clause, in case of non compliance with the RGPD of the UK-US agreement