March 7, 2021


Photo by Marcin Nowak on Unsplash

The European Commission has recently released its draft for the UK adequacy decision. If adopted, the adequacy decision would allow the data flow to and from the United Kingdom to continue as normal. However, in case it is not adopted, the problem could be insurmountable: if the European Commission acknowledges that the laws regulating lawful interception in UK, such as the Investigatory Powers Act 2016, are interfering with the rights and freedoms of data subjects, the issue cannot be overcome by enhanced standard contractual clauses or integrating additional safeguards. The reason is quite straightforward: if the interference of those is deemed severe, then only a repeal of the laws regulating interception can radically change the situation. Thus, if you are transferring data to the UK and would like to be ready for the worst case scenario, you should implement anonymisation measures to fall outside the scope of GDPR. Also, a strong encryption could render your data non-personal, but one could still have problems if using homomorphic encryption, as operations can be still performed on the data set to a certain extent. In any case, it is important to remember that the UK has adopted the so-called UK GDPR, which is an (almost) copy-and-paste of the GDPR. Thus, if you are doing business in the UK, do not forget that the compliance must be mirrored (you should elect a representative in UK and a DPO if needed, a record of processing activities and so forth).