On 19th February 2021, the European Union (“EU”) Commission published its draft adequacy decision. Recognising the UK’s data protection regime effectively ensures an equivalent level of protection to that guaranteed under the General Data Protection Regulation (“GDPR”).
Another step closer to adequacy
This important next step follows the news on 24 December 2020 that the UK and the EU finally reached a decision under the draft EU-UK Trade and Cooperation Agreement. It was agreed personal data would continue to flow at the end of the transition period (31 December 2020) without any change for the next 6 months. This would allow the European Commission to complete its adequacy assessment of the UK’s data protection regime.
As a result, we are a step closer to confirmation that data will continue to flow, uninterrupted, from the EU and wider European Economic Area (“EEA”) to the UK. The UK has already recognised the EU and EEA member states as ‘adequate’, ensuring data can continue to flow from the UK to the EU without restriction.
The draft decision follows months of discussions and assessment of the UK’s data governance standards by its EU counterparts. Therefore, the draft decision will be welcomed by organisations in the UK (and likely by EU counterparts) as it looks like we will avoid the large amount of paperwork that would ensue in reviewing contractual arrangements if the UK was not to receive adequacy.
As part of the technical approval process, the European Data Protection Board (“EDPB”) is now required to provide their ‘non-binding opinion’ on the draft decision before it is presented to EU member states for formal approval. Following that, the EC could adopt the final adequacy decision for the UK.
Technical confirmation of the draft adequacy decision will allow UK businesses and organisations to continue to transfer personal data from the EU and EEA without the need for additional safeguards, for at least the next four years. After which, it will be possible to renew the adequacy finding if the level of protection in the UK continues to be adequate. As such, it is imperative that the UK does not backslide on its current approach which is looking ever more likely to be deemed adequate.
On 1st January 2021, the UK GDPR came into force by virtue of the snappily named ‘The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019’ (the “Exit Regulations”) which are available here. The effect of the Exit Regulations is to codify the GDPR into UK law with references to EU institutions and mechanisms changed for equivalent UK institutions and mechanisms. Given this, the UK GDPR is currently near identical to the EU GDPR but there will be divergence over time as the UK GDPR is not subject to the jurisdiction of the European Court of Justice (but the EU GDPR is).
What this means for data protection in the UK remains unclear. Some feel that we’ll remain aligned to EU data protection laws whereas others expect the UK government to take a different approach over time. A new Information Commissioner will be appointed this year as well, with Elizabeth Denham leaving her post on 31st October. Again, there is some speculation that the Government may take a different approach to ICO leadership but we’ll have to wait and see. In any event, If you trade or work in the EU as well as the UK, there will therefore be a need to monitor and comply with both regimes.
If you have questions about post-Brexit data flows, or need input on representatives, we’d be happy to discuss these issues with you in more detail.