UK: DCMS publishes explanatory framework for adequacy decisions
The Department for Digital, Culture, Media & Sport ('DCMS') published, on 13 March 2020, its explanatory framework for adequacy discussions ('the Explanatory Framework'). In particular, the DCMS noted that the UK is seeking adequacy decisions from the European Commission in order to maintain the continued free flow of personal data between the EU and UK and Gibraltar. The DCMS highlighted that adequacy decisions are the European Commission's legal mechanism to facilitate the free flow of personal data from the European Union to third countries and can encompass data flows under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') for general and commercial purposes and data flows under the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) ('the Law Enforcement Directive') for law enforcement purposes. The DCMS added that such adequacy decisions, delivered through Article 45 of the GDPR and Article 36 of the Law Enforcement Directive, confirm that the third country’s data protection standards are 'essentially equivalent' to those of the EU and are adopted on the basis of a positive assessment of the third country's data protection framework by the European Commission.
Furthermore, the Explanatory Framework outlines protections for data subjects equivalent to those in EU law, including robust principles to protect personal data, clear grounds limiting when processing of personal data is lawful, effective and enforceable rights to give individuals more control over their data, limitations and conditions to ensure that, when restrictions to those rights are provided for through legislation, they are necessary and proportionate, clear onward transfer rules, and additional safeguards such as data protection impact assessments. Moreover, the Explanatory Framework states that the Information Commissioner's Office ('ICO') has a strong track record as an independent regulator capable of handling complex cases and imposing tough sanctions where necessary, has a full range of enforcement powers, is well-resourced, and works closely with other data protection authorities.
You can read the press release and access the Explanatory Framework here.