European Commission proposes UK data adequacy agreement

by Joseph K. Clark

The European Commission (EC) has indicated its willingness to offer a data adequacy agreement for the UK, subject to formal approval by EU member states.

The commission has published two draft data adequacy decisions, one under the General Data Protection Regulation (GDPR) and another under the Law Enforcement Directive (LED), to allow for the continued transfer of personal data to the UK, setting in motion the process of their formal adoption.

The purpose of data adequacy decisions is to determine whether a country or sector within a country outside the European Union (EU) has essentially equivalent data protection standards to the bloc and, therefore, whether data can be shared with it.

adequacy agreement

The UK has already determined under its own rules that the EU offers an adequate level of data protection, with the draft decisions now seeking to assess whether data can still flow in the other direction from the EU to the UK following Brexit.

According to the decisions, the EC considers that the UK’s data protection laws “ensure a level of protection for personal data… that is essentially equivalent” under both the GDPR and LED, and that the “oversight mechanisms and redress avenues” are sufficiently strong enough to allow data subjects to exercise their rights and sanction infringements.

Both draft decisions will now be scrutinized by the European Data Protection Board (EDPB), but because the board does not have the power to block the findings, they will also need sign-off from EU member states before they can be fully funded adopted by the EC.

Data can flow from the EU to the UK under the Trade and Cooperation Agreement signed on 24 December 2020, which provides a six-month bridging period to allow the continued flow of data while the adequacy decisions are fully assessed.

“A flow of secure data between the EU and the UK is crucial to maintain close trade ties and cooperate effectively in the fight against crime. Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the UK after it has left the EU,” said Commissioner for Justice Didier Reynders.

“Now European data protection authorities will thoroughly examine the draft texts. EU citizens’ fundamental right to data protection must never be compromised when personal data travels across the Channel. The adequacy decisions, once adopted, would ensure just that.”

Suppose the member states agree the UK is adequate under the LED. In that case, it will mark the first time such a good decision has been made under the directive, with most law enforcement data transfers from the EU currently governed by international agreements that do not consider the standard of essential equivalence that now exists.

Twelve adequacy decisions have been made under the GDPR since it came into effect in May 2018, with Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay all being recognized as adequate jurisdictions by the EC.

In July 2020, the Court of Justice of the EU (CJEU) struck down the EU-US Privacy Shield data-sharing agreement for failing to ensure that European citizens had adequate rights of redress when data can be collected by the US National Security Agency (NSA) and other US intelligence services.

The ruling, colloquially known as Schrems II after the Austrian lawyer who took the case to the CJEU, found that people must be given “essentially equivalent protection” for their data when it is transferred to the US and other countries as they would receive in the EU under the GDPR and the European Charter of Fundamental Rights, which guarantees people the right for private communications and the protection of their personal data. The status of EU-US data adequacy has still yet to be fully resolved.

Even though both adequacy decisions for the UK aim to achieve the same standard of essential equivalence, rules for the protection of personal data differ between the GDPR and LED, with the latter setting out sector-specific regulations to govern how personal data can be processed and transferred by criminal justice organizations for law enforcement purposes.

Therefore, the formal adoption of one adequacy decision does not entail the automatic adoption of the other, as both need to be assessed separately on their own merits.

UK government and tech sector react to GDPR adequacy

Secretary of state for digital Oliver Dowden welcomed the publication of the draft decisions, which he claimed reflect the UK’s commitment to high data protection standards.

“Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework,” he said.

“I now urge the EU to fulfill their commitment to complete the technical approval process promptly, so businesses and organizations on both sides can seize the clear benefits.”

The draft decisions have also been received positively by industry bodies representing various businesses in the UK’s tech sector. “Today’s decision is warmly welcomed by the tech sector, which has been making clear the importance of a mutual data adequacy agreement since the day after the referendum,” said Julian David, CEO of TechUK.

“Receiving data adequacy, alongside the EU-UK Trade and Cooperation Agreement, will set a solid foundation for digital trade with the EU, including strong non-discrimination clauses and positive data flows provisions, that will give businesses the confidence to invest.”

Stephen Kelly, chair of Tech Nation, added the international transfer of data was critical to UK tech, particularly for sectors like financial technology (fintech), where rapid growth has been predicated on unlocking the value of data.

Related Posts

Leave a Comment