The UK’s inadequate data protection framework

Once the Brexit withdrawal agreement “transition period” ends on 31 December 2020, the UK will become a “third country” under the EU’s General Data Protection Regulation. The UK has adopted very similar domestic laws to the GDPR, in the hope of being assessed as “adequate” by the European Commission, so personal data may continue to flow freely from EU data controllers to the UK. But there are significant problems with this framework, as we set out this morning in this first of two submissions to the European Commission, European Data Protection Board, and European Parliament. We hope to complete the second part, on issues relating to the UK’s national security law and practice, later this month.