Good news at last: the free flow of personal data between the UK and EU is approved by the European Commission
Finally, the wait is over and... thankfully it is good news.
Businesses reliant upon dataflows between the UK and EU can continue to transfer personal data without additional safeguards after the EU Commission’s finding of adequacy was announced.
Post-Brexit, many industries (ranging from finance to insurance to hosting to data warehousing) held their collective breath awaiting the outcome of the EU’s decision in relation to its consideration of the UK’s data protection regime. If a decision of adequacy was not adopted, UK businesses would have been in the strange position of freely exporting personal data to the EU, but unable to import personal data from the EU without the application of additional safeguards, for example, EU Standard Contractual Clauses.
Such concerns heightened recently due to the pending expiry of the ‘Brexit data bridge’ on 30 June 2021, which extended the pre-Brexit status quo after the transition period. With no news from Europe amidst concerns from certain Member States that a draft adequacy decision should be amended, the position was unsettled.
Thankfully - and frankly, unsurprisingly, given that the current UK data protection regime is based upon its European equivalent - due to the EU’s view that the UK “benefits from an essentially equivalent level of protection to that guaranteed under EU law”, it adopted two adequacy decisions for the UK which entail that “personal data can now flow freely from the European Union to the United Kingdom”.
That said, unusually, the findings of adequacy contain a ‘sunset clause’ which limits such adequacy decisions to a period of four years or a shorter period in the event that the UK diverges from the current personal data protections. After this period, the EU Commission has stated that the findings of adequacy may be renewed provided that the UK continues to ensure an adequate level of data protection. Therefore, this position should be a key consideration for the UK Government in relation to the future development of its data protection regime, particularly as the EU-UK Trade and Cooperation Agreement includes a commitment by the UK to uphold high levels of data protection standards.
Notwithstanding this welcome development, UK business should not forget to ensure that any data transfers to third parties (within the UK and the EU) should be governed by Data Sharing Agreements entered into between the relevant parties. Life has been made easier by the adequacy decisions. However, the protection of personal data and compliance with the legal regime is still paramount and should remain a key consideration for your organisation.
Expert advice in relation to all aspects of data protection, information governance, privacy, cyber liability and electronic communications from a team of leading data protection solicitors.