Britain has recently achieved two significant milestones in order to reach a positive adequacy decision. Britain’s departure from the EU gave rise to many legal issues, as you can imagine. One such legal issue was (and is) data protection. Whilst GDPR regulated the transfer of personal data within the EU and the EEA, now that we are no longer under that regime, we become a ‘third country’ and must demonstrate to the European Commission (“EC”) that our data protection laws are adequate to permit continued data transfers.
On 19 February, the EC released their draft decision on whether the UK’s data protection standards should be found ‘adequate’. This was followed on 14 April by a positive opinion from the European Data Protection Board (“EDPB”). This blog discusses these decisions and outlines the next steps in the decision-making process.
An adequacy decision means that the EC is satisfied that the UK has an adequate level of data protection. The effect of adequacy will mean that no additional safeguards will be necessary for the transfer of personal data from the EEA to the UK. Under the UK-EU Trade Agreement, such personal data transfers can only continue without additional safeguards until 1 July 2021 in the absence of an adequacy decision. Please see our previous blog “GDPR and Brexit | Changes to requirements after Brexit and the UK-EU Trade Agreement” for further detail regarding safeguards and the implications of adequacy.
On 19 February, the EC released their draft decision concluding that the UK ensures an ‘essentially equivalent’ level of protection to that guaranteed under the GDPR. This is good news for those involved in transferring personal data from the EEA to the UK; it is one step closer towards maintaining the status quo.
The matter was then sent to the EDPB for a non-binding opinion, which was published on 14 April. Whilst generally positive, it also highlighted a number of challenges for assessment and monitoring by the EC, including in particular:
Following the recent decision of the EDPB, the EC will seek approval from Member States’ representatives under the comitology procedure. The EC may then adopt a final adequacy decision, which their draft decision indicates will be valid for four years and subject to a renewal process. This is the first time a sunset clause has been included in an adequacy decision and serves to highlight their commitment to monitoring the UK’s data protection developments.
The government appears to be committed to diverging from EU data protection standards. In an article written for the Financial Times in February this year, secretary of state Oliver Dowden affirmed a commitment to take advantage of opportunities whilst maintaining world-class data protection standards. He sees Brexit and his search for a new information commissioner as a unique opportunity to find new opportunities for businesses to use data. This ‘bold new approach’ is hoped to provide economic benefits, but it will remain to be seen whether the EU will approve of the deviations when the UK’s adequacy decision comes up for renewal.
If you would like to discuss this blog or any other commercial contract query, please contact a member of the Commercial team and we will be delighted to assist you.