The European Commission is empowered to determine whether a third country has an adequate level of data protection. An adequacy decision has the consequence that personal data may be transferred from an EEA State to a third country without the need to take additional security measures. “I cannot predict now whether it will be so simple and without further negotiation for a possible adequacy decision, because we do not know whether or not the UK will introduce into its national legislation certain changes that could derogate from the general line of the General Data Protection Regulation,” Jourová said. If the UK becomes a “third country” after Brexit, for reasons of legal certainty and as the strongest guarantee of the free flow of personal data, an adequacy decision can be considered a preferred approach. However, some challenges have arisen: despite the update of the data protection agreement currently in force between the US and the EU, the NSA or other US secret services can still monitor EU citizens in a way that is contrary to EU law. “The transferred data is not protected from mass state surveillance, regardless of the legal mechanism of transfer,” the report said. This jeopardizes the longevity of the agreement. “This report argues that due to problems with the U.S. system, it is very plausible that both [SCCs and the Privacy Shield] will end up being invalidated,” Patel says.
However, on the same day that the Commission issued its January statement, Boris Johnson said the UK would restore `sovereignty` over data protection, which was clarified in the accompanying written statement: “The UK will in future put in place separate and independent policies in […] Data protection. This context can only mean that no agreement has been reached on the adequacy of the data. I would like to say politely that “we will take our ball and go home” is neither a political position nor a negotiating position. .