When the UK left the EU on 31st December 2020 they became a “third country” under EU data protection legislation. By virtue of the EU-UK Trade & Co-operation Agreement transfers of data from the EU to the UK are unaffected until 30th June 2021 (at the latest) but what is the position after that?
If the UK were to remain a “third country” any data transfers from the EU to the UK would need to comply with additional compliance and security measures under the EU GDPR. There would undoubtedly be cost implications. Transfers of data from the UK to the EU are unaffected as the UK has already taken the decision that the EU ensures an adequate level of protection.
The best possible outcome for the UK is for the EU to grant an adequacy decision, effectively indicating that that the UK provides a level of data protection similar to that set out in the EU GDPR.
The good news is that on 19th February 2021 the European Commission issued two draft adequacy decisions for transfers of personal data to the UK, one under the EU GDPR and the other for the Law Enforcement Directive. Publication of the draft decisions is the start of the process which will hopefully, ultimately, lead to their adoption.
The European Commission has been assessing the UK’s law and practice over a period of months. In coming to their decision to issue the drafts, their conclusion was that the UK ensured an equivalent level of protection.
Undoubtedly the path to adequacy has been eased by the fact that EU law has shaped the UK’s data protection regime for many years and, in addition, the UK has recently adopted the provisions of the GDPR into UK legislation (the UK GDPR effectively mirrors its EU counterpart).
The decision by the EU has been welcomed by the UK Government who are keen to ensure that the approval process is completed in a timely manner to ensure certainty well ahead of the 30th June deadline.
The draft decisions, if adopted, will remain in place for four years. After four years there is scope to renew the decisions if the level of protection in the UK continues to be adequate. This safeguards the EU’s position should the UK decide to radically overhaul its legislation in the meantime to create greater divergence with the EU. In the words of Vĕra Jourová, Vice President for Values and Transparency:
“Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel. The UK has left the EU, but not the European privacy family. At the same time, we should ensure that our decision will stand the test of time. This is why we included clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development of the UK system after the adequacy would be granted”.
There is reason to be optimistic that adequacy will be granted but we will be sure to keep you up to date as and when that might be [1].
[1] Update: On 28th June 2021 the EU Commission published two adequacy decisions in respect of the UK. These are expected to last until 27th June 2025 (although the Commission must monitor developments in the UK on an ongoing basis to ensure that the UK continues to provide an equivalent level of protection. If not then they could they could end earlier).
