After months of discussions, on Friday 19 February the European Commission announced a step towards approving continued free flow of data between the EU and the UK. For the full press release, click here.
The European Commission has announced that it is planning to grant the UK two adequacy decisions, one under the GDPR and the other for the Law Enforcement Directive (LED).
What is the adequacy decision?
The draft data adequacy decisions, put simply, mean that the European Commission recognises that the UK’s post-Brexit data protection standards (which are now known as the ‘UK GDPR’) offer essentially equivalent protections to those granted under the EU’s GDPR and, for the first time, under the LED. There has never been an issue with regards to data-sharing from the UK into the EU, as the UK recognised the EU as a ‘safe harbour’ for receipt of data transfers from the outset. However, this new decision will enable UK and EU businesses to continue sharing data in both directions while adhering to largely shared data protection laws.
Finalising the decision is expected to take several months as discussions with the European Data Protection Board are required before the UK formally receives ‘adequate’ status.
What is the significance of the adequacy decision?
Giving the UK adequacy status makes transferring personal data between the EU and the UK easier. In a post-Brexit world this is a positive step for UK businesses as it strengthens trade confidence and innovation as well as facilitating health and scientific research (which is particularly pertinent now). It will also provide significant benefits for organisations with offices, branches or operations in both the UK and the EU.
Being able to transfer personal or sensitive data from the EU to the UK without safeguards beyond those already in place will save UK businesses extra paperwork and the requirement for further risk and impact assessments.
The UK will join countries including Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay who have already achieved ‘adequate’ status.
What do you need to do now?
As explained, it will take several months for the decision to be finalised but given the expected ‘adequate’ status, UK businesses can continue to transfer data to and from the EU providing that it is compliant with existing data protection regulations.
As the UK will no longer be bound by EU privacy rules, the EU’s decisions will only be valid for an initial period of four years from when the draft decisions are finally adopted. After four years, it will be possible for the EU to renew the adequacy finding if the UK’s provisions remain ‘equivalent’.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.