EDPB Extends UK Adequacy Decisions Pending Finalization of Privacy Law
The European Data Protection Board Monday extended the expiration date of European Commission adequacy decisions related to the transfer of personal data to the U.K. from the EU under the General Data Protection Regulation and the Law Enforcement Directive.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The decisions, which found that the U.K. regime adequately protects Europeans' personal data, were set to expire June 27 unless renewed. However, the EDPB noted, the U.K. government introduced a Data (Use and Access) Bill that proposed amending certain aspects of the country's data protection law. The bill is working its way through Parliament.
Since the assessment of the essential equivalence of U.K. privacy law must be based on a stable legal framework, the board said, the EC proposed extending its adequacy decisions until December 27 to allow the legislative process to end before it assesses whether changes to the decisions are needed.
The EDPB also approved an opinion on an EC draft adequacy decision for the European Patent Organisation (EPO). Once formally adopted, the board noted, this will be the first adequacy decision relating to an international organization rather than a country or region.
The EDPB noted that the EPO's data protection framework largely aligns with the EU's but recommended that some aspects be clarified and closely monitored by the EC. For example, it asked the EC to clarify that, under the EPO's data governance structure, the data controller (EPO) remains the entity ultimately responsible for breach of privacy rules.