Posted: Thu 11th Mar 2021
The European Commission (EC) published a draft UK adequacy decision on the 19 February 2021, which will come as a huge relief for businesses across all industries in the EU and the UK.
Under the terms of the EU and UK trade and cooperation agreement, data transfers were of course permitted to remain unrestricted following the Brexit transition period for a period of four months from the 1 January 2021, extendable by a further two months to 1 July 2021 until alternative measures, such as the adequacy decision, could be agreed for EU transfers to the UK. N.B. The UK government had already confirmed that transfers from the UK to the EU could continue in any event.
When deciding whether or not to grant an adequacy decision, the EC must determine whether the third country in question (the UK) guarantees a level of protection which is "essentially equivalent" (not identical) to the providers in the EU. There are concerns surrounding the UK's surveillance laws which may lead to legal challenges further down the line. However, these same surveillance laws have been UK domestic law for a number of years alongside GDPR, so any challenge in the coming months will be interesting.
In terms of the draft adequacy decision, this will now be reviewed by the European Data Protection Board (EDPB), and then submitted to the committee comprising of a representative from each EU member state to provide a formal opinion (by way of vote). If adopted, the adequacy decision will be in force for four years, after which it may be renewed if the level of protection remains adequate. If the UK is deemed 'inadequate' then certainly EU businesses will need to look at alternative data transfer mechanisms, such as Standard Contractual Clauses (SCCs) as a minimum.
What do UK and Irish businesses need to do?
For UK businesses, the end of the Brexit transition period has meant that the UK data protection regime is governed by the UK GDPR and the Data Protection Act 2018, which contains almost identical provisions to EU GDPR. Indeed, many businesses may now find themselves subject to dual regulatory regime, both EU GDPR and UK GDPR.
Furthermore, a favourable adequacy decision is not a passport to 'continue as normal'. Additional compliance measures may need to undertaken, irrespective of the decision, such as the appointment of:
An EU representative, if the UK business offers goods or services to the Irish or wider EU market or monitors individuals in the EU, for example by way of placing cookies or behavioural advertising, and does not have an establishment in the EU; or
A UK representative, if the Irish or EU business continues to offer goods or services to the UK market or monitors individuals in the UK, for example by way of placing cookies or behavioural advertising, and does not have an establishment in the UK.
In addition to this requirement, UK companies will need to establish which EU country will be their lead supervisory authority, considering the Information Commissioners Office (ICO - the UK's supervising authority) is no longer part of the GDPR supervising authority 'bloc'. Many UK companies are opting to designate Ireland as their lead supervising authority as it is the only other English-speaking country in the EU. However, EDPB guidance suggests that businesses should have customers in the designated country.
Finally, if adequacy is adopted, businesses will need to revisit their privacy policies to update their mechanism for transferring personal data to and from the UK to make reference to the adequacy decision, if granted.
Many organisations I have spoken to were of the view that they would not need to appoint an EU or UK representative if an EU adequacy decision was made in favour of the UK. They are unfortunately incorrect. The adequacy decision relates to data flows to and from the UK only. Other GDPR obligations still need to be complied with.
_It's not too late to get your organisation up-to-speed with GDPR compliance and other data protection laws both in the UK and the EU. Please connect with me to find out how I can support your business through the transition and ensure you're compliant in the UK and the EU.