legislation, notably Regulation (EU) 2016/679, as well as the case law of the Court of Justice of the European Union3. The European Data Protection Board’s adequacy referential is also of significance in this regard4. As clarified by the Court of Justice of the European Union, this does not require finding an identical level of protection5. In particular, the means to which the third country in question has recourse for protecting personal data may differ from the ones employed in the European Union, as long as they prove, in practice, effective for ensuring an adequate level of protection6. The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test lies in whether, through the substance of data protection rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection7.
(5)
The Commission has carefully analysed the law and practice of the United Kingdom. Based on the findings developed in recitals (7) to (264), the Commission concludes that the United Kingdom ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom.
(6)
This Decision should not affect the direct application of Regulation (EU) 2016/679 to organisations established in the United Kingdom where the conditions regarding the territorial scope of that Regulation, laid down in its Article 3, are fulfilled.
2.
RULES APPLYING TO THE PROCESSING OF PERSONAL DATA
2.1.
The constitutional framework
3
4
5 6 7
EN
(4)
(7)
The UK is a Parliamentary democracy which has a constitutional sovereign as Head of State. It has a sovereign Parliament, which is supreme to all other government institutions, an Executive drawn from and accountable to Parliament and an independent judiciary. The Executive draws its authority from its ability to command the confidence of the elected House of Commons and is accountable to both Houses of Parliament which are responsible for scrutinising the Government and debating and passing laws.
(8)
The UK Parliament has devolved responsibility to the Scottish Parliament, the Welsh Parliament (Senedd Cymru), and the Northern Ireland Assembly for legislating on domestic matters in Scotland, Wales and Northern Ireland which the UK Parliament has not reserved to itself. While data protection is a reserved matter, i.e. the same legislation applies across the country, other areas of policy relevant to this Decision are devolved. For instance, the criminal justice systems, including policing, of Scotland and Northern Ireland are devolved to the Scottish Parliament and Northern Ireland Assembly, respectively. The United Kingdom does not have a codified See, most recently, Case C-311/18, Facebook Ireland and Schrems (“Schrems II”) ECLI:EU:C:2020:559. European Data Protection Board, Adequacy Referential, WP 254 rev. 01.available at the following link: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108 Case C-362/14, Schrems (“Schrems I”), ECLI:EU:C:2015:650, paragraph 73. Schrems I, paragraph 74. See Communication from the Commission to the European Parliament and the Council, Exchanging and Protecting Personal Data in a Globalised World, COM(2017)7 of 10.1.2017, section 3.1, pages 6-7, available at the following link: https://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:52017DC0007&from=EN
2
EN
