29 June 2021
There was an audible release of breath yesterday when the European Commission adopted the adequacy decision, ensuring the UK’s data protection rules are fit for EU purposes. The decision means the UK will not be treated as a third country for the purposes of the EU General Data Protection Regulations (GDPR), and allows the continued free flow of data between the EU and UK.
As outlined in an earlier newsletter (here), the deadline for reaching an agreement was 30 June so (as we have come to expect) the decision really did come down to the wire.
Timing of the adequacy decision
The adequacy decision formalises an interim arrangement under the EU-UK Trade and Co-operation Agreement, which was signed on 24 December 2020. Under this arrangement, it was agreed that the UK would not be treated as a third country under GDPR for 6 months from the Jan 1 “Brexit Day” to allow time for the adequacy decision.
Now that the adequacy decision has been formally adopted, UK data privacy rules (which are based almost entirely on EU law passed before Brexit Day) are treated as giving a similar level of protection as the GDPR which allows EU based companies to continue to transfer personal data the UK without the need for alternative safeguarding mechanisms.
Achieving adequacy status
An early decision was hoped for as the UK has incorporated GDPR into domestic law and so the UK and EU rules are mostly aligned. History, however, suggested otherwise as the EU has adopted only 12 adequacy decisions since 1995 (and usually only after a very lengthy process).
Keeping it adequate
All adequacy decisions are subject to periodic review (every four years) and any move by the UK to change its data protection rules in a manner which is viewed as detrimental to the data protection rights of EU citizens could result in the adequacy decision being revoked. The European Parliament and the Council may request the EC to amend or withdraw any adequacy decision.
Transfers of personal data from the UK to the EU
The UK has already declared GDPR as adequate for the purposes of UK data protection law. Now the EU adequacy decision has been formally adopted, the transfer of personal data between the UK and the EU will continue to carry on in much the same manner as before the UK’s departure from the EU.
“No change in the rules” should not be very big news but we are where we are. This is very positive news for companies transferring personal data from the EU to the UK. Doubtless there are a lot of people breathing a sigh of relief today given the troublesome alternatives to managing UK-EU data without an adequacy decision. We were hoping for an earlier announcement but there was a general feeling that common sense would prevail and, let’s not be churlish, this was agreed a whole 2 days ahead of deadline!
Chris Fallon, Sharon Thwaites & Tom Parker