Good news followed the weekend, as the European Commission approved plans to recognise the United Kingdom’s data protection regime as ‘adequate’. This decision followed a unanimous vote by the EU member states, bringing closure to a post-Brexit world that has been awash with uncertainty.
Following the end of the Brexit transition period on 31 December 2020, transfers of personal data from the European Economic Area (EEA) to the UK have been freely permitted by virtue of a six-month additional transition period.
European concerns with UK exceptions for national security, surveillance and immigration control rendered adequacy uncertain. With the transition period set to end on 30 June 2021, transfers of personal data from the EEA to the UK were to be subject to Article 45 of the EU General Data Protection Regulation (GDPR).
What does this mean in practice?
The latest news comes as a huge relief to UK businesses, as well as those data Controllers in Europe and beyond, bound by the material and territorial scope of the GDPR, for whom UK-based service providers are strategic data processors.
In essence, this adequacy decision ensures that personal data can continue to flow freely from the EEA to the UK without the need for additional arrangements. Controllers can therefore continue to rely on Data Processing Agreements compatible with Article 28 of the GDPR.
A ‘no adequacy’ decision would have had significant ramifications for EEA and UK organisations, not least a reduction in trade, reduced investment, the requirement to relocate business functions, infrastructure and personnel and the increased risk of fines due to new compliance requirements beset upon organisations.
What does the future hold?
The European Commission has emphasised the need to future proof the adequacy finding on the basis that, following Brexit, the UK is no longer bound by EU data privacy legislation. Subsequently, this decision has been granted for only four years – the first ruling of its kind with the condition of a sunset clause.
This means the UK data protection regime will face similar scrutiny in 2025. If standards are deemed to have slipped and the UK Government allows its own data protection legislation to deviate too far from the European benchmark, there will be no automatic continuation. Moreover, the Commission has warned that ‘adequate’ status could be withdrawn at any time if adequate protection of European subjects’ personal data is not maintained.
Meanwhile, at a time in which action privacy rights group action is at an all-time high, there remain areas of the UK data protection regime which may still be subject to challenge. Let us not forget, 12 months on, many data privacy professionals are still dealing with the fallout of the invalidation of the EU-US Privacy Shield. That said, any such challenge of UK adequacy would have to follow the same path to the Court of Justice of the European Union via the judicial process.
How can Bridewell assist?
Considering the ever-evolving global data privacy landscape, Bridewell's Data Privacy team is continuing to support our clients. As regulation changes, we will work with you to understand your cross-border data flows either across an organisations operations or specific systems.
We are also able to combine our privacy expertise with cyber security analysis to validate data flows within an organisation as required. We will then ensure that there are appropriate technical and organisational measures in place for any gaps identified, supporting remediation with the client, which can range from technical changes to policy or procedural.