Half a decade after the Brexit vote and just before the interim solution was about to run out, the European Comission has (finally) confirmed that the UK is regarded as 'adequate' for data protection purposes. Here's what you need to know.
For those not too familiar with the terminology of ‘adequacy’ it all sounds a tad underwhelming. If, for example, you were to tell a family member that their attempt at cooking Sunday lunch was ‘adequate’, you might find yourself wearing parts, or perhaps all, of your lunch in some way. ‘Adequate’ isn’t quite damning with faint praise, but it doesn’t sound far off it.
However, for data protection purposes this is a momentous decision. In effect, it means personal data can continue to move freely from the EEA/ EU to the UK under the EU GDPR. It’s the decision many businesses, large and small, were waiting for.
In a press release, you could almost hear the relief of the UK’s Information Commissioner, who said, ‘adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently’, adding, ‘the result is also a testament to the strength of the UK’s data protection regime.’
But businesses need to be aware that this adequacy decision is slightly different from the others adopted by the European Commission.
The key point here? The UK is adequate for now. This is not a permanent arrangement by any means:
- the decision includes a ‘sunset clause', which limits its duration. This means the decision will automatically expire four years after it enters into force. After that period, the adequacy decision might be renewed, but only if the UK continues to ensure an adequate level of data protection. Many MEPs will doubtlessly be unhappy about this decision. Only recently, many were fretting that the UK’s stated desire to develop its own data protection regime meant granting adequacy would be inappropriate. These MEPs are likely to want to challenge this decision again when this period expires. The UK’s cards have been marked. And be in no doubt: this decision is a political one. If the relationship between the UK and EU deteriorates in the next few years this could mean the end of EU-UK adequacy at that time
- the collection of data by UK intelligence authorities could mean that the decision is challenged in the courts at some point in the future. Are we looking at, for example, a Schrems 3.0?
It is also worth noting that transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision to reflect a recent judgment of the Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. The European Commission says it will reassess the need for this exclusion once the situation has been remedied under UK law
If you have any questions on these adequacy decisions (there were two formal legal documents) or would like to chat generally about them, we’d be delighted to hear from you.