The EU Commission has adopted an ‘adequacy’ decision that will allow businesses to continue to send personal data from the EEA to the UK – just a few days before a transitional arrangement was due to end. Businesses will no doubt welcome the move, but they should keep an eye on this over the coming months and years – things could still change.
Throughout the Brexit talks, the need to send data from the EU to the UK has been a hot topic. It’s potentially a problem because the EU General Data Protection Regulation bans the export of personal data from the EEA to countries that don’t have ‘adequate’ data protection laws. There are a few routes for sending data to ‘non-adequate’ countries, including getting individual consent, or entering into an EU-approved contract – but those routes can be pretty costly for business.
The EU has previously declared various countries’ data laws to be ‘adequate’ – most recently South Korea. The process involves assessing whether a country’s laws protect personal data in a way that is analogous to the GDPR. Of course, the UK had implemented the GDPR before Brexit, and it has broadly retained the GDPR within UK law since leaving the EU. That might suggest that an adequacy decision would be a ‘no-brainer’; but MEPs and others had raised concerns about the UK’s surveillance regime, which gives public authorities broad rights to access people’s personal data for national security reasons. There had also been concerns about a perceived lack of enforcement of the GDPR by the UK’s Information Commissioner. Luckily for businesses, the EU has managed to get comfortable with those concerns, with its final decision noting various safeguards within the UK surveillance regime.
However, as with everything Brexit-related, there’s a novel twist: the UK adequacy decision will automatically expire in 2025, and the EU might revoke it even before then. That’s because the UK has already hinted that it might diverge from the GDPR in order to create a more business-friendly regime (and a recent government taskforce recommended replacing the GDPR to enable AI to develop in the UK). The EU has said it will monitor any changes to UK data law and how the law is applied in practice - and it will step in if there’s too much divergence.
And the UK’s adequacy status could face yet another hitch, in the shape of privacy activists - and Max Schrems in particular. Mr Schrems has already successfully challenged the arrangements that allowed data to flow from the EEA to the US, on the basis that the US surveillance regime didn’t fully protect personal data. He has previously said he’ll look at any UK adequacy decision, and other activists might be waiting in the wings.
Meanwhile, for data exports out of the UK, the government has said it intends to issue its own adequacy decisions; and the UK Information Commissioner has said it will consult on its own standard contract clauses in July.
For more information on data protection issues arising from Brexit, click here.