The European Commission has published its draft adequacy decision in respect of the UK, which is an important step towards the continued free flow of personal data from the EEA to the UK. Amir Kousari, Senior Associate and data protection expert at tech law firm Boyes Turner explains the implications.
Processing of personal data in the UK is now governed by the Data Protection Act 2018 and the UK GDPR, which is based on the EU GDPR. The European Commission has determined that the UK data protection regime provides an equivalent level of protection to EU law and by publishing its draft decision, the European Commission has started the process towards granting adequacy status to the UK. The UK government and the ICO have both welcomed the decision and recognise that this is a step towards ensuring the continued and seamless flow of data between the EU and the UK.
Brexit and the threat to data flows
Brexit had caused uncertainty and potential disruption to data flows from the EEA to the UK, with the UK being relegated to ‘third country’ status because a favourable adequacy decision (the EU process to certify that a country meets EU standards on data protection) was not issued before the end of the transition period on 31 December 2020. The UK has already granted 'adequacy' for transfers of personal data from the UK to the EEA, however the threat to data flows from the EEA to the UK remained, without a reciprocal decision from the EU.
Data flows from the EEA to the UK are crucial for high-value industries such as technology, banking and financial services and disruption would be hugely damaging to businesses on both sides. Modelling by UCL and New Economics Foundation (NEF) had estimated the lack of an adequacy decision would have cost businesses up to £1.6 billion in compliance activities and investment in goods and services.
Prolonged uncertainty could also jeopardise the UK’s position as the largest data centre market in the EU (the UK had around 858,000 square meters of data space as of December 2019).
The UK Government’s interim solution was to agree a ‘bridging mechanism’ as part of the UK/EU Trade and Cooperation Agreement, ensuring that data could continue to flow between the EEA and the UK for up to six months. However, certainty could only come with an adequacy decision from the European Commission.
The adequacy decision is draft and there are two further steps which must be negotiated before the European Commission can adopt the decision. The next step is for the EDPB to deliver its opinion on the decision and the European Commission is likely to adopt the EDPB’s recommendations before publishing the decision in its final form. The final step will be for representatives from EU member states to approve the decision.
Whilst it is not clear how long these steps will take, it is to be hoped that they will be completed before expiry of the bridging mechanism under the UK/EU Trade and Cooperation Agreement to avoid disruption to business.
The Path after Adequacy
If the adequacy decision is confirmed it will be valid for four years. This will allow the EU to monitor the UK’s data protection regime, which may evolve now that the UK is no longer bound by EU privacy rules.
The UK was a leading force in the introduction of the GDPR and shares a similar attitude to the EU towards privacy rights so it will be interesting to see UK privacy rules develop over the coming years.
The UK may decide to deviate from EU law where that may facilitate trade deals as part of an effort to bolster the UK economy that has been crippled by the effects of a pandemic. A trade deal between the UK and the US could undermine an adequacy decision, especially if it allows unrestricted data flows. Last year the Court of Justice of the European Union (CJEU) declared the US’s Privacy Shield framework invalid after accepting concerns about US surveillance programs, a result that has created significant challenges for data transfers between the EU and US.
The immediate response to the provisional data adequacy decision from many businesses, particularly those in the tech sector, is relief that certainty is on the way. However, it is important to keep an eye on the final steps towards achieving adequacy and how the UK’s privacy rules develop.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.