On 24 December 2020 the UK and EU finally agreed the terms of a Brexit deal which included a temporary arrangement to allow continuing personal data transfers from territories within the EU to the UK.
This arrangement was met with relief by Irish businesses with UK affiliates or which use UK service providers that require transfers of personal data.
The temporary arrangement allows EU organisations to continue to transfer personal data to the UK until 30 April 2021, which period can be extended for a further two months (if neither the UK nor EU object) until 30 June 2021. The arrangement was put in place with a view to allowing sufficient time for the EU to make an “adequacy decision” in respect of UK data protection laws which would allow transfers of personal data to continue on a more permanent basis.
What does adequacy mean?
Essentially an adequacy decision would mean that the EU accepts that the UK data protection regime affords adequate protections for EU data subjects whose personal data is processed in that country. Where a particular territory is covered by an EU adequacy decision, personal data may continue to flow between the EU and that territory without the need for additional provisions such as standard contractual clauses or the adoption of other lawful mechanisms such as binding corporate rules.
The European Commission has now published a draft decision on the adequacy of the UK’s law and practice on personal data protection.
The draft adequacy decision will now be reviewed by the European Data Protection Board (EDPB). If the EDPB approves the draft decision, it will be presented to EU member states for formal approval. The UK government has urged the EU to swiftly complete this technical process for adopting the adequacy decision as early as possible.
There has been some speculation as to whether special terms and conditions would be included to take into account the recent “Schrems II” ruling by the European Court of Justice. However the draft adequacy decision confirms that existing UK law is sufficient and that no additional steps need to be taken by data exporters who are transferring personal data to the UK. Once adopted, the adequacy decision will be re-examined every four years by both the EU and the UK. To the extent that UK data protection law diverges from EU GDPR principles, it is possible that the decision could be revoked in the future and therefore organisations will need to keep the position regarding ongoing data transfers to the UK under review.
Dual Data Protection Regimes
Despite the anticipated good news regarding formal adoption of the adequacy decision, it is important to note that the UK and the EU are now subject to separate regulatory regimes. As and from January 1st 2021 organisations that process data in the EU and the UK are now subject to both the EU GDPR and the UK GDPR regimes and depending on the nature of their operations may need to appoint an EU representative or a UK representative. Such organisations should also consider which EU supervisory authority will be their lead authority given that the UK Information Commissioners Office may no longer be the lead supervisor authority for data controllers and data processers located in the UK without a main establishment in the EU.
Despite the risk of future divergence in EU/UK data protection laws, the publication of the draft adequacy decision is good news in terms of allowing continuing ease of transfer of personal data from the EU to the UK without having to resort to other transfer mechanisms such as standard contractual clauses or binding corporate rules.