UK-EU data flows: Breathe and stop, an adequacy decision is what we’ve got

The implications of Brexit through the lens of data protection have been uncertain to say the least. Whilst many were concerned that the UK could perhaps be subject to a similar fate to the US following the decision taken by the ECJ in the “Schrems II” case last year either because of genuine concern over its privacy regime or merely to apply politically-motivated pressure in negotiations, others felt confident that the European Commission would not take this stance towards the UK as it would want to keep the flow of data between the EU and UK moving for the good of the remaining EU Member States. In either case, not knowing whether the EU would grant the UK a data adequacy decision has forced some UK businesses to put their data innovation projects on hold in order to retain some budget to potentially introduce new safeguards for EU-UK data transfers (e.g. the existing or new Standard Contractual Clauses (“SCCs”)) in order to comply with the General Data Protection Regulation (“GDPR”) in the event an adequacy decision not being granted.

After months of deliberation by the Commission, the uncertainty has now been lifted by virtue of the it adopting two adequacy decisions for the UK – one under the GDPR and the other for the Law Enforcement Directive (1).

This formal recognition of the UK’s high data protection standards means that personal data can now flow freely from the EU to the UK where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. UK businesses and organisations can continue to receive personal data from the EU and EEA without having to put additional arrangements in place with European counterparts, such as adopting the existing or new Standard Contractual Clauses.

Whilst this may seem like a cause for celebration, , both adequacy decisions include strong safeguards in the form of ‘sunset clauses’ which allow the EU to review the adequacy decision in four years’ time to determine whether there has been any future divergence in this regard by the UK. If the UK sometime in the future loosens up its privacy regime to facilitate internal and cross-border trade, the EU could invoke these safeguards.

Ultimately, the free flow of personal data supports trade, innovation and investment, and supports the delivery of critical public services sharing personal data as well as facilitating health and scientific research. With this in mind, the UK government has stated: “The government plans to promote the free flow of personal data globally and across borders, including through ambitious new trade deals and through new data adequacy agreements with some of the fastest growing economies, while ensuring people’s data continues to be protected to a high standard.

All future decisions will be based on what maximises innovation and keeps up with evolving tech. As such, the government’s approach will seek to minimise burdens on organisations seeking to use data to tackle some of the most pressing global issues, including climate change and the prevention of disease.” (2)

What this means with regard to the UK diverging from the standards of data protection that have allowed for today’s adequacy decisions being granted by the EU, only time will tell. However, it suggests that “global Britain” is less inclined than the EU to let the data protection tail wag the cross-border transaction dog so we shouldn’t rule out further horse-trading around this issue in the future.

(1) https://ec.europa.eu/commission/presscorner/detail/en/ip_21_3183
(2) https://www.gov.uk/government/news/eu-adopts-adequacy-decisions-allowing-data-to-continue-flowing-freely-to-the-uk