Draft decision deems UK data laws ‘adequate’
24 February 2021: The UK government has welcomed the European Commission’s recent draft data adequacy decision, which paves the way for the continued free flow of data from the EU and the UK.
The European Commission has launched the process towards the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive (LED). Final positive data adequacy decisions under both these processes would allow for personal data to continue to flow freely from the European Union (EU) and the wider European Economic Area (EEA) to the UK.
“This is a welcome first step in the process and we hope that the European Data Protection Board will confirm as soon as possible that the UK’s data protection regime is adequate”, said Dr Jane Berney, ICAEW Technical Manager for Business Law.
“It is not a done deal, however, and whilst UK businesses can continue to receive personal data from the EU in accordance with the EU-UK Trade and Cooperation Agreement’s bridging mechanism members should be aware that this is still a temporary arrangement.”
The UK formally provided the Commission with comprehensive explanatory material nearly a year ago at the start of the adequacy assessment in March 2020. The UK has already recognised the EU and EEA member states as ‘adequate’, as part of its commitment to establish a smooth transition for the UK’s departure from the bloc and manage data flows on an objective basis.
However, the Commission did not finalise draft decisions in time to complete the adoption process by the end of the transition period. For this reason, as part of the UK/EU Trade and Cooperation Agreement, a time-limited ‘bridging mechanism’ for personal data flows was agreed upon. This currently allows personal data to continue to flow as it did before the end of the Brexit transition period for up to six months, while the EU completes the adequacy process.
ICAEW reminds members that the publication of the draft decisions is only the beginning of a process towards the EU’s adoption, it is not yet final. It will now go to the European Data Protection Board, which has to give an opinion.
Following the draft adequacy decision:
- The opinion of the European Data Protection Board will be taken into account.
- Then the European Commission will request the green light from Member States' representatives in the so-called comitology procedure.
- Following that, the European Commission could adopt the final adequacy decisions for the UK.
The above steps should be completed before 30 June 2021, when the temporary arrangements under the bridging mechanism will cease. As with all adequacy decisions, any resolution on UK-EU data flow will also be mandatorily reviewed after four years and will be upheld only after a satisfactory review
Technical confirmation of the draft adequacy decisions will help make sure UK businesses and organisations in everything from logistics to legal services, healthcare to human resources can continue to receive personal data from the EU and EEA without additional procedural work, such as the addition of standard contract clauses.
This ensures they will avoid potential knock-on effects for consumers and boost UK start-ups and smaller firms which operate in EU markets and sell to EU customers.
“Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework”, said Secretary of State for Digital, Oliver Dowden.
Dowden concluded: “I now urge the EU to fulfil their commitment to complete the technical approval process promptly, so businesses and organisations on both sides can seize the clear benefits.”
The EU’s justice chief Didier Reynders said the decision was “crucial” to maintain close trade and security ties with the U.K. “We have thoroughly checked the privacy system that applies in the U.K. after it has left the EU,” Reynders said in a statement.
“EU citizens’ fundamental right to data protection must never be compromised when personal data travel across the Channel. The adequacy decisions, once adopted, would ensure just that,” he added.
ICO Information Commissioner Elizabeth Denham welcomed the announcement as moving the UK “a step closer” to having a clear picture for organisations processing personal data from the EU.
“The draft adequacy decisions are an important milestone in securing the continued frictionless data transfers from the EU to the UK,” added Denham.
ICAEW reminds members that this is a temporary arrangement, and they should continue to monitor their data flows and work with any EU/EEA organisations that transfer personal data to you to put in place alternative transfer mechanisms that safeguard against any interruption to the free flow of EU-to-UK personal data.