March 23, 2020

The Government explains that the UK is seeking adequacy decisions from the European Commission in order to maintain the continued free flow of personal data between the European Union and UK and Gibraltar after the end of the transition period. The Government’s pack of documents provides an overview of the UK’s comprehensive legal framework underpinning the UK’s high data protection standards. They set out the information necessary for the EU Commission to plan and conduct its assessment in good time.

The documents set out why the Government thinks that the UK meets the standard of “essential equivalence”. At the end of the transition period, the key legislative elements of the UK’s framework will be the Data Protection Act 2018 and the UK GDPR, which provide comprehensive protections for data subjects equivalent to those in EU law, including:

• robust principles to protect personal data: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. There are also clear definitions for vital concepts, such as personal data, sensitive data, processing, controller, and processor;
• clear grounds limiting when processing of personal data is lawful: including further conditions for the validity of consent;
• effective and enforceable rights to give individuals more control over their data: including the right to request access to their personal data, rectification of their data, and the right to object to its processing and request its erasure; a right to receive clear information about the processing of their personal data; a right to have the processing of personal data for direct marketing purposes stopped, a right to portability of data, a right to restrict processing, and a right not to be subject to a decision based only on automated processing;
• limitations and conditions: to ensure that, when restrictions to those rights are provided for through legislation, they are necessary and proportionate;
• clear onward transfer rules: to ensure personal data continues to receive an adequate level of protection when it leaves the UK; and
• additional safeguards: provided in certain situations through requirements, such as detailed records of processing, data protection impact assessments, a data protection officer, and data breach notification.

The Government also says that the UK’s framework provides for effective administrative and judicial redress for data subjects in the UK and the EU through the Information Commissioner’s Office, which is well resourced, has powers to levy substantial administrative fines, has a full range of enforcement powers, works closely with other data protection authorities, and is influential in driving global privacy standards.

The Government says that the UK’s legal framework also sets out robust rules for law enforcement and the national security processing of personal data. In addition, the Government says that the UK has an ongoing commitment to robust global data protection standards. To access the policy paper documents, click here.