European Commission publishes draft adequacy decision for UK
Plenty of businesses have been worrying about what will happen with regards to data flows, now we’ve left the EU. Under the EU’s GDPR certain circumstances need to be in place if personal data is to be transferred outside of the EEA. This is particularly relevant if the country that the data is being transferred to is not deemed (by the European Commission) to provide “adequate protection” for personal data. If this is the case then additional measures are usually required (such as putting in place written contracts that include standard contractual clauses as prescribed by the European Commission).
Since December 2020 the Trade and Cooperation Agreement, agreed with the EU, allowed personal data to flow freely from the EU (and EEA) to the UK. This was a temporary measure (until June 2021 at the latest) while the formal adequacy decision was considered.
The good news is that the EU has now published its draft adequacy decision for the UK, taking things one step further forward. This says that the UK does provide an adequate level of protection for personal data transferred from the EEA under the GDPR. It includes a detailed assessment of the UK’s ability to access and use personal data transferred from the EEA.
If approved this will mean that businesses and public bodies, across all sectors, could continue to receive data from the EU (and EEA) freely. The free flow of data would also be allowed to continue for law enforcement purposes (such as preventing and detecting criminal activity).
The European Commission has also published a similar draft decision with respect to the Law Enforcement Directive.
These decisions will be considered by the European Data Protection Board (EDPB) so that can provide comments to the European Commission.
This is good news for the UK as recent research has shown that the cost of putting alternative transfer mechanisms in place could have cost UK businesses £1.6 billion.
But it might not be as simple as all that. First the decision will be subject to review every four years. Second, the UK will need to ensure that (for this to be renewed) UK data protection law does not deviate too far, in the future, from EU standards. In particular the UK will need to think carefully about the third countries it awards its own adequacy decisions to. Finally, there is the risk that any approved decision might be legally challenged by the Court of Justice of the European Union and be declared invalid, as happened over the EU-US Privacy Shield decision. Many consider this likely, given the recent challenge of UK surveillance laws in the CJEU in the Privacy International case.
To get an idea of how things could work, were adequacy not ultimately conferred, you can look at the Schrems II case that we wrote about, requiring companies to conduct their own adequacy assessments.
If you would like to discuss this or your data processing agreements you can contact one of our data protection specialists here.