On February 19 2021, the European Union Commission issued its draft adequacy decision for data flows between the European Union (EU) and United Kingdom (UK).
Whilst widely expected, this draft decision will provide some assurance about the continuing free flow of data between the EU and UK although businesses should take heed of a few ongoing regulatory issues.
Post-Brexit (the UK’s exit from the European Union):
The speed of issue of this draft decision will provide some comfort to businesses working across the EU and UK, but there are a few key issues to carefully consider. The draft decision must still be reviewed by the European Data Protection Board and then needs the “green light” from representatives of EU member states under the “comitology” procedure.
What Does Adequacy Mean?
In brief, an adequacy decision means that the EU has accepted that the UK data protection regime affords adequate protections for EU data subjects.
If the decision is adopted, data may continue to flow between the EU and UK without the need for additional provisions, such as standard contractual clauses or the adoption of binding corporate rules.
There had been some question as to whether special terms and conditions would be included to take into account the recent Schrems II ruling by the European Court of Justice, but the draft adequacy decision confirms that existing UK law is sufficient, and that no further safeguard steps need be taken by data exporters.
Regulatory Oversight – No “One Stop Shop”
Despite the adequacy decision, the UK and the EU are still subject to separate regulatory regimes.
From January 1, 2021 organisations that process data in the EU and the UK (or if UK based, offer goods or services, or target individuals in the EU and vice versa) are now subject to both the EU GDPR and the UK GDPR and, depending on their operations may need to:
Adequacy and the Longer Term
The Adequacy decision, once adopted, will not be a permanent position. It will be re-examined every four years by the EU and by the UK. However, this review period is longer than the review period in other adequacy decisions, for example the Japan adequacy decision allows for a review every two years, subject to confirmation after the first two-year review.
Some risk remains that any EU Adequacy decision may be challenged in a similar way to the Safe Harbor and Privacy Shield provisions which were recently challenged in the Schrems II case. This may be considered a heightened risk given the European Court of Human Rights ruling regarding the UK mass surveillance programme.
However, the EU UK Trade and Co-operation Agreement does include provisions which foresee the risk of future declarations of unlawful transfers. The Agreement outlines the steps to be taken by the Partnership Council to agree on joint interpretations, recommend appropriate actions, adopt appropriate adaptations and extend any suspensions. These provisions are based on the need for future co-operation, and the need to take steps to allow data to continue to flow between the EU and the UK.
Failing any resolution through the EU-UK Trade and Co-operation Agreement provisions, alternative mechanisms may need to be adopted to deal with any invalidation, for example the adoption of standard contractual clauses
Ongoing Opinions and Guidance – Some Divergence?
Despite the Adequacy decision, organisations operating in the EU and UK will need to continue to monitor developments in both areas. A few examples to bear in mind below: