The European Commission has published draft decisions to deem the UK’s data protection regime “adequate”. Published on the 19th February, the drafts come after months of assessment by the Commission of the UK’s data protection regime and conclude that the UK ensures an equivalent level of protection to personal data to that guaranteed under the GDPR and the LED.
Whilst the decisions remain in draft form at this stage, they are indicative that a formal adequacy decision will follow, which would be a positive development for many businesses. The Information Commissioner Elizabeth Denham commented that the draft decisions are an important milestone in securing the continued frictionless data transfers from the EU to the UK.
The transition period following the UK’s departure from the EU expired on 31st December 2020. From 1st January 2021, the UK became a third country for data transfer purposes. However, data flows between the EU and the UK continued under a four-month grace period (potentially extending to 6 months) provided by the Trade and Co-Operation Agreement (the TCA).
During the grace period, the EU committed to assessing the UK’s data protection regime with a view to granting an adequacy decision. Should the EU fail to grant an adequacy decision, data flows from the EU to the UK would be permissible only if certain mechanisms ensuring the protection of personal data are implemented. Those mechanisms include standard contractual clauses and binding corporate rules: standard terms within contracts which ensure that personal data is protected to an equivalent standard afforded by the GDPR.
A data adequacy decision would allow personal data to continue to flow freely from the EU to the UK. Continuous and undisturbed data flows are critical in a growingly digitalised world, and the drafts published are an encouraging indicator that the Commission will adopt the decisions. An adequacy decision would allow UK businesses to continue to receive personal data from the EU without the additional costs of revising existing agreements to incorporate safeguarding mechanisms and avoid the need to conduct time-consuming data mapping exercises.
The two drafts relate to the GDPR, and the Law Enforcement Directive and publication starts the process of their adoption: the European Data Protection Board must now obtain a non-binding opinion and approval is given by a committee of representatives of EU Member States. Once this procedure is complete, the Commission could adopt the two adequacy decisions.
The UK Government has welcomed the Commission’s draft data adequacy decisions and has urged the EU to complete the technical approval process swiftly to formalise the adequacy decisions as soon as possible.
It is still possible that the EU will fail to grant an adequacy decision – in which case the UK faces a potential data protection “cliff-edge” at the end of April, or June 2021 and businesses will need to ensure that the relevant mechanisms are in place to protect the personal data transfers they conduct.
Any adequacy decision granted will also be re-assessed every four years to ensure that the UK’s data protection regime has not during this time diverged from the EU’s model so as to compromise the protection of EU citizens’ data. The draft decisions include monitoring and reviewing mechanisms should the UK’s data protection law no longer be conducive to the EU approach.
The UK has already formally recognised the EU as adequate. Therefore, data flows from the UK to the EU can continue uninterrupted without the requirement for implementing additional safeguards. However, the UK Government have confirmed that they intend to keep this under review.
Personal Data may be transferred from the UK to non-EU countries if the UK has deemed the recipient country as adequate. If a country has not been deemed adequate by the UK, then the transfer of data may be permissible if alternative mechanisms are put in place, such as appropriate safeguards.
Our expert team of Data Protection Solicitors are able to advise you on the data protection aspects of your business and provide you with the appropriate documentation to ensure your compliance. For further information, you can access our dedicated Brexit Hub section or contact us on 0161 941 4000 or email our data protection specialists.