After months of uncertainty and speculation, the European Commission (EC) has confirmed that it has kick-started a process which, if successful, will enable the personal data of EU citizens to be sent freely to the UK – saving businesses on both sides of the Channel billions of pounds and long hours spent tackling bureaucratic hurdles.
The EC has published draft documents outlining the details of the process, called an adequacy decision, determining that UK laws provide a level of data protection that is comparable to the stringent rules laid out in the bloc’s General Data Protection Regulation (GDPR). If and when the adequacy decision is adopted, GDPR-protected data will be allowed to be sent and processed freely to the UK.
With the UK recently leaving the EU, the country effectively ceased to be protected by the GDPR, meaning that the rules surrounding imports of personal information about EU citizens had to be revised. The UK government has long established its hopes that an adequacy decision would be granted to green-light the free flow of personal data and enable business to continue as usual.
From logistics to legal services, through healthcare and human resources: the volume of personal data that is exchanged between the EU and the UK should not be underestimated. Without an adequacy decision, businesses operating in both markets would have to set up complex alternative mechanisms to comply with GDPR rules on the flow of digital information. Economists estimate that the total cost of implementing those new contracts to keep data flowing legally could amount to £1.6 billion ($2.14 billion), with smaller firms hit the hardest.
In this context, it is easy to see why the UK government was rooting for a smoother, frictionless adequacy decision.To boost the country’s chances of obtaining the coveted status, GDPR laws were enshrined in the UK’s domestic laws. The Data Protection Act (DPA), as a result, is often referred to as the “UK GDPR”.
Despite those assurances, the EU failed to grant the UK an adequacy decision before the end of the Brexit transition period. Instead, an interim period of six months was implemented, during which it was agreed that personal data would continue to flow from the EU to the UK, while the bloc pondered whether the UK should be recognized as data-adequate or not.
The draft decisions now published by the EC measure the key provisions of the GDPR against the UK’s laws, and conclude that the UK GDPR provides similar safeguards, individual rights, supervision systems and other rules related to data protection as those available under EU law.
Such conclusions were, unsurprisingly, welcomed by the UK government. Osborne Clarke privacy and technology lawyer, Georgina Graham, tells ZDNet: “These draft decisions seem sensible, because the UK data protection rules are practically identical to those in the EU. Another outcome would have been surprising. It’s a really good outcome and it will make life a lot easier for businesses in the UK and the EU.”
However, Graham points out that the draft documents do not provide assurance that adequacy will be granted. Rather, they are indicative of the start of a process, which now involves obtaining an opinion from the European Data Protection Board (EDPB), as well as the green light from a committee composed of representatives of the EU Member States.
The UK government has urged the EU to “swiftly complete” what was described as a “technical process”. Previous examples, such as the Japanese adequacy decision, have shown that the next steps can in fact take up to four months and require several rounds of discussion with the EDPB.
Because of the potential complications that might arise in the next few months, data protection consultancy Securys has recommended that businesses keep looking at alternative ways of legitimizing transfers from the EU to the UK, in case the adequacy decision fell through.
Graham has similar advice for organizations: “Carry on mapping where you’ve got those flows of data from the EU to the UK, and perhaps, for the most significant ones, put in place some alternative mechanisms,” she says. “It’s not strictly necessary now because of the interim agreement, but if you were cautious, you may want to do it.”
Even if the EU does grant the UK adequacy, the decision will only apply for a limited timeframe. Once the draft decisions are adopted, the EC said they would only be valid for an initial period of four years, after which it would be possible to renew the adequacy findings – or to repeal them, if any problematic changes were made to the UK’s data protection laws.
In the past years, the UK has come under the spotlight of top EU courts after it was found that some of the government’s mass surveillance practices went against the bloc’s charter of fundamental rights. In a recent ruling, the EU’s Court of Justice found that the bulk collection and retention of citizen data, which is currently legal in the UK thanks to the Investigatory Powers Act (IPA), was particularly problematic.
The draft adequacy decisions published by the EC include a lengthy chapter that is dedicated to desiccating the access and use of personal data by public authorities in the UK. It concludes that UK laws are nevertheless compatible with the EU’s GDPR, because the country has committed to remain party to separate agreements that regulate data protection – namely, the European Convention of Human Rights and the ‘Convention 108’.
If the UK is granted adequacy, the country’s data protection laws will still be kept under the EC’s close watch. The Commission indicated in the draft decision that it will monitor legal developments in the UK on an ongoing basis, and that UK authorities should keep the bloc updated with any changes to the rules.
“It is clear that the European Commission will keep a particularly watchful eye on any data protection related developments occurring in the UK,” said Guillaume Couneson, partner at law firm Linklaters. “The EC refers to ‘continuous monitoring’ (…), underlining that the adequacy decision could be questioned at any time should adverse developments occur.”
In addition, the EC’s draft documents invite member states to help the Commission carry out its monitoring function, for example by notifying the organization of any complaints by EU data subjects concerning the transfer of their personal data to the UK. This opens the door to challenges to the adequacy decision from individuals and privacy rights organizations.
The scenario would not be unprecedented: last year, the EU ruled that the data bridge in place between the bloc and the US was invalid, after Austrian lawyer and activist Max Schrems brought up a case against government surveillance on the other side of the Atlantic. The agreement, known as the EU-US Data Privacy Shield, was effectively dropped, in a major blow to thousands of companies.
“I think there is certainly a chance of seeing something similar to the Schrems case,” says Graham. “I would not rule it out, although it would be a much more difficult case than that of the Privacy Shield.”
“Adequacy is definitely a good outcome, but it isn’t the end of the story, because it could be reviewed, and it well may be challenged in the courts. So I wouldn’t describe it as a total victory,” she continued.
The EU already recognizes other countries around the world as adequate including Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay.