The EU has ruled that British data protection standards are “adequate”. This is just in time - the interim arrangement under the EU-UK Trade and Cooperation Agreement was due to end on 30 June. This decision will allow digital information to continue to flow between the UK and the EU.
The EU adopted final versions of the two adequacy decisions that were issued in draft earlier this year. These permit personal data flows to the UK under the GDPR and the Law Enforcement Directive. The decisions came into force this week and will expire after four years, unless renewed.
Data adequacy is a status granted by the European Commission to countries outside the European Economic Area (EEA) who provide a level of personal data protection comparable to that provided in European law. When a country has been awarded the status, information can pass freely between it and the EEA without further safeguards being required.
What is data?
The EU defines personal data as any information relating to an identified or identifiable person. This broad definition covers the usual areas like name, address and bank or health records, while extending to car registrations and photographs.
Since May 2018, personal data within the EU has been protected through the General Data Protection Regulation (GDPR). GDPR aims to harmonise data protection laws across the EEA, as well as updating and expanding the scope of existing regulation. The UK meets GDPR through the 2018 Data Protection Act.
Why is this important?
Any company that shares data between the UK and EU – via payroll or health records – could have been affected if Brussels had decided to withdraw adequacy.
Trade is increasingly facilitated by cross-border data flows, with businesses reliant on the ability to transfer personal data about their customers or workforce to offer goods and services, and to run even basic internal processes such as cloud-based email or file storage. This is especially true of ‘digitally intensive’ sectors –the UK’s burgeoning tech sector and agri-tech, but will also apply to logistics, global supply chains and an international work force such as applies with the food and agri industries.
Volumes of data entering and leaving the UK have increased tremendously over recent years, with the vast majority of these data transfers being with EU countries. It is argued that any restriction placed on data flows would act as a barrier to trade, putting UK businesses at a competitive disadvantage.
John Foster, director of the CBI, has stated the EU-UK adequacy decision would be welcomed by businesses. “The free flow of data is the bedrock of modern economy and essential for firms across all sectors – from automotive to logistics – playing an important role in everyday trade of goods and services.”
Sunset clause, right to repeal & any alternatives?
The Commission put a four-year sunset clause on the adequacy decision. The Commission will monitor the legal situation in the UK for any deviation from the level of protection currently in place. This could lead to the decisions being suspended, repealed or amended unilaterally by the Commission.
There is a counter-argument to adopting the EU approach in the UK that states the GDPR is “prescriptive and inflexible” . A recent taskforce report suggesting GDPR should be replaced with UK laws on data protection is being considered by Boris Johnson. The taskforce report on Innovation, Growth and Regulatory Reform FINAL_TIGRR_REPORT__1_.pdf (publishing.service.gov.uk) was drawn up by Iain Duncan Smith, Theresa Villiers and George Freeman and published last month, May 2021.
You can see the full EU's GDPR adequacy decision here and the LED adequacy decision here.