Being told you are ‘adequate’ is hardly warm and fuzzy. But news from the European Commission is that an adequacy decision for the UK on personal data could be coming.
We aren’t there yet but this is a good thing.
So what is this ‘adequacy’ thing? And what should I do?
Notwithstanding the UK having in effect adopted EU data protection standards through what we now know as the ‘UK GDPR’ post the end of the Brexit transition period, there was no getting past the UK being a ‘third country’ as far as the EU is concerned on personal data.
The EU’s GDPR regime distinguishes between EU members and ‘third countries’ and sets a series of hurdles for EU personal data to be ‘exported’ out of the EU to third countries. This is aimed at ensuring that the protections afforded to people are not just handed away.
So, from 1 January 2021, with the end of the Brexit transition period for the UK, the UK became one of these ‘third countries’. That meant that in order for personal data to be transferred from the EU to the UK, there needed to be ‘adequacy’ compared to EU standards for the transfer of the data. This meant the EU confirming ‘adequacy status’ for the UK – which would allow EU/UK businesses and organisations to continue to exchange data freely as they had done pre-Brexit or else meeting one of the GDPR requirements, such as using Standard Contractual Clauses or Binding Corporate Rules.
The Brexit deal, or more correctly the EU-UK Trade and Cooperation Agreement, did not grant this adequacy status itself. What it did do was to create a further transition period of four months in which the UK would not be treated as a third country for EU to UK transfers of personal data, mutually extendable by a further two months, thereby giving the European Commission up to six months in which to agree and adopt an adequacy decision.
The good news? On 19th February 2021, the European Commission published its draft adequacy decision. This actually provides quite a detailed analysis of the UK regime, which for Data Protection anoraks and probably the odd research student is actually quite useful.
Most importantly, it finds that the UK regime meets the standards required and therefore can be considered to be adequate. In doing so potentially it also sets a precedent for other jurisdictions both for its conclusion but also the way that it has gone about it.
However, two things are worth noting.
Firstly, this is very much based on the self-evident conclusion that as a former EU member state which has implemented the EU’s GDPR, what the UK is doing is equivalent or adequate. But of course that’s dependent on the UK framework not diverging. Although you could argue that in finding this, that therefore limits the extent to which the UK will want to change its framework because it will prejudice any adequacy decision.
Secondly, this is a draft adequacy decision which still have to be finalised and accepted by the European Commission, following consideration by the European Data Protection Board and support by COREPER – the committee of representatives (Ambassadors) of EU member states.
When, is yet to be clear but it must be hoped that that is not far away. And any decision would be for four years which would provide considerable certainty for businesses and organisations in the UK and EU. In the meantime, the UK Government has already decided that the EU and UK GDPRs are comparable and represent ‘adequate provisions’ for data flow from the UK to the EU.
Even so, now could be a good time to review what you have in your contracts on data transfers and ‘third countries’ such as the US, especially in relation to your use of ‘Standard Contractual Clauses’ and to ensure that you are not relying solely in relation to transfers to the US on the US-EU Privacy Shield which was ineffective struck down in the middle of 2020. Judging by what we have seen, a lot of businesses have not considered that or caught onto it.
So our recommendation would be – don’t panic but on the other hand keep up the pace and don’t put your feet up.