19 February 2021 meant good news for all EU-based companies transferring data to the UK as the EU Commission published draft decisions, which would confirm the adequacy of the UK’s data protection regime. The adequacy finding would allow personal data to flow freely to the UK despite Brexit, bringing welcome certainty for businesses operating across the Channel. See our previous article for further background on GDPR and Brexit.
Blessing for UK transfers nearly confirmed – the clock is ticking
The draft adequacy decisions will now be reviewed by the European Data Protection Board (“EDPB”), after which the EU Commission will request the approval of EU member states’ representatives (comitology procedure) before adopting the final decisions. No certain timetable is available for the final adoption but there is a considerable desire to confirm UK adequacy as soon as possible.
As described in our previous article, EU-UK data transfers are now taking place by virtue of an interim arrangement until up to 1 July 2021 meaning that the final decisions should be adopted in just over four months. This could prove a tight schedule. Affected companies, therefore, remain in the thankless position of anticipating UK adequacy but simultaneously being mindful of a non-adequacy scenario.
To ensure the credibility of the adequacy finding, the draft decisions demonstrate a robust analysis especially of the access to data by national security authorities in the UK, which now must be sufficiently followed-up by the EDPB in its own analysis. This goes to show that the strict evaluation of authority access to data, underlined in the Schrems II judgement, is now the new norm in any assessment of lawfulness of international data transfers.
UK as a non-member state
While the expected adequacy decisions will allow data to flow freely from the EU to the UK, it should be noted that the UK will, nevertheless, become a so-called third country under European data protection law. Accordingly, UK-based companies must already observe the potential obligation to designate an EU representative under the GDPR as they are no longer established in the EU.
Additionally, the adoption of final adequacy decisions would not bring definite closure on the future of EU-UK data flows. According to the draft decisions, the adequacy finding would be subject to automatic re-examination after four years to ensure that the UK regime continues to provide an adequate level of protection. It has also become evident that the UK adequacy decisions will remain open to challenges from privacy activists asserting shortcomings in the privacy safeguards of the British surveillance regime.