A couple of weeks ago, the European Commission (the “EC”) issued its draft decision in relation to the UK’s adequacy under data protection rules. The decision has now been passed to the European Data Protection Board (the “EDPB”) to give its opinion before the EU member states (through their representatives) decide whether to adopt or not.
What is the current position?
As I mentioned in my blog on 11th January (available here), the UK is in a transition period for data protection purposes. Under the Trade and Cooperation Agreement (the “TCA”) data can continue to flow in and out of Europe without any other considerations, so long as the UK does not change its data protection legislation. The transition period was designed to give the EC sufficient time to decide if the UK data protection framework was adequate and will continue in place until an adequacy decision is reached or until the end of April 2021 (with the potential to extend to June 2021).
Why is adequacy important?
The TCA provides UK and EU businesses with a transition period where personal data can continue to flow in the same way as pre-Brexit. An adequacy decision would confirm that the UK provides a suitable level of protection for transfers of personal data from the EEA so post TCA, this free flow can continue. However, without an adequacy decision in favour of the UK, at the end of the 4 (or 6) month transition period, businesses transferring data from the EU into the UK would need to start treating the UK as third country. It is worth noting at the moment and whether or not the adequacy decision is adopted, businesses can continue to transfer data into the EU from the UK without doing anything further.
What if the decision is not adopted?
If the adequacy decision is not adopted, the UK will become a third country and subject to stricter transfer rules set out in the EU GDPR. Essentially any data transfers from the EEA into the UK will need to ensure that appropriate measures and safeguards are in place to protect personal data. This means organisations within the EU would need to look at standard contract clauses or binding corporate rules to lawfully enable personal data to transfer into the UK.
Anything else to consider?
Even if adopted the adequacy decision does not change the fact that the UK and the EU are now separate regulatory regimes and businesses that operate in both will need to comply with the EU GDPR and the UK GDPR. There may also be certain steps which need to be taken, like appointing a representative or identifying a lead supervisory authority.
Additionally, it does not address an issue which could arise down the line if, for any reason, the UK amends the UK GDPR and deviates from the principles which are broadly in line with the EU GDPR at present. The adequacy decision, if approved, will be subject to review every four years so it is possible the decision could be reversed in future if there is divergence away from EU standards. The adequacy decision could also still be challenged by the Court of Justice of the EU (in the same way the EU-US privacy shield was challenged). If successfully challenged, the decision could be removed and the UK would revert to a third country needing additional measures in place for data transfers from the EU.
The final point to note is the time is still ticking on the TCA transition period and it is due to end at the end of April, although can be extended to the end of June. This means if there is substantial comment from the EDPB this has the potential to slow down the timetable of getting the adequacy decision so could push the UK out of the transition period with no decision made in time.
For now, it is very much business as usual for data protection and the flow of personal data in and out of Europe. The draft adequacy decision is a welcome step forward and marks an important milestone in ensuring continued free flow of data. But businesses should still (i) do a health check and ensure policies and procedures are fit for purpose and to identify any steps which need to be taken to ensure compliance with the UK GDPR as well as the EU GDPR (if applicable) and (ii) keep an eye on critical data flows from the EEA so any “at risk” areas are identified early and suitable safeguards can be put in place to plug any gap in case the adequacy decision is not adopted or is or overturned at a later date.
If you need any advice about data protection, Brexit and its implications or any business matters generally, please get in touch with Blackadders’ Corporate & Commercial Team working in Aberdeen, Dundee, Edinburgh, Glasgow, Perth and across Scotland.
Ruth Weir, Associate Solicitor
Corporate & Commercial
The opinions expressed in this site are of the author(s) only and do not necessarily represent the opinions of Blackadders LLP.
Blackadders takes all reasonable steps to ensure that the content of this site is accurate and up to date. The site is not, however, intended as a substitute for seeking legal or other professional advice but rather as an informative guide to the services provided by Blackadders and topical legal developments. Site visitors should always seek advice tailored to their specific situation. Consequently, Blackadders accepts no responsibility for any loss or damage suffered by anyone acting or failing to act on the basis of information contained on this site. Downloading of material contained on this site is at the user’s own risk and all necessary virus checks must first be carried out by the user. Blackadders is not responsible for the material found on any web sites linked to this one and links to this site may only be made with Blackadders prior consent.
Blackadders owns the copyright in this blog and all material contained on it. The material on this site may be downloaded for personal use only and must not be altered. Otherwise, Blackadders’ written consent is required before any material on this site is reproduced, copied or transmitted in any way.
Information passed to us via this site is kept confidential and will not be disclosed to third parties except if authorised by you or required by law.
© Blackadders LLP 2022
Members of the Law Society of Scotland.
Blackadders Solicitors is a trading name of Blackadders LLP, a limited liability partnership, registered in Scotland No SO301600 whose registered office is 30 & 34 Reform Street, Dundee, DD1 1RJ. Reference to a ‘partner’ is to a member of Blackadders LLP.