“This will be welcome news to businesses, support continued cooperation between the UK and the EU, and help law enforcement authorities keep people safe.”
This was how digital secretary Oliver Dowden greeted news at the end of June that the European Commission had – “after more than a year” of discussions, the cabinet minister admitted – granted data adequacy status to the UK.
The decision, which allows data to flow between organisations in this country and the remaining 27 EU member states, ratifies that the UK’s laws “ensure a level of protection for personal data… that is essentially equivalent” to the EU.
Although approval took longer than many had hoped – coming six months after the end of the Brexit transition period – it is perhaps no surprise that the UK received the green light in the end. A UK version of the EU General Data Protection Regulation has been signed into our domestic law, alongside the Data Protection Act, which offers similar assurances.
Jon Baines, senior data protection specialist at business law firm Mishcon de Reya, tells CSW that, for organisations moving data between the EU and the UK, the continued absence of an adequacy decision would have meant every transfer would have come with “a need for contractual arrangements… [and] every time you would have to add in a list of clauses”.
“It would have added significant costs in terms of time,” he says.
Indeed, a November 2020 report from the New Economics Foundation and UCL European Institute – to which Baines contributed – estimated that the collective cost to the UK economy of failing to obtain adequacy would be as much as £1.6bn.
The decision means that data can now flow in both directions, in the certainty that the legal protection it receives in this country matches and complies with that of any EU nation.
But not covered by the adequacy decisions is the processing and transfer of information for the purposes of immigration control or enforcement.
This is because, in those cases, the UK Data Protection Act effectively provides an exemption that means personal data does not enjoy the same rights and protections as when it is being used for other business, public service, or law enforcement purposes.
The commission’s decision to exclude immigration data from the adequacy framework – which marked a divergence from the draft decision the commission published earlier this year – came in light of a successful legal challenge to the act’s immigration exemption, which the Court of Appeal recently ruled is incompatible with UK law.
“The commission will reassess the need for this exclusion once the situation has been remedied under UK law,” it said in a statement when granting the adequacy decision.
‘It is not just what the laws look like on the page’
Outside of this exception, general personal data and law-enforcement data is now free to move between public bodies and businesses throughout the EU and those in the bloc’s one former member.
But, even with this approval now granted, there are important caveats to bear in mind. Most obviously, there is a “sunset clause”, stipulating that the decision applies for only four years, before it requires review and renewal.
Even during those 48 months, European legislators will be keeping a close eye on the UK.
“It is not just what the laws look like on the page – they will look at enforcement. The right to the protection of personal data is seen by the EU as a fundamental right, and they will look at whether the UK has respect for this. And they will look at it in the round,” says Baines, who is not a lawyer himself, but rather a specialist adviser, as well as a former public-sector data protection officer.
Beyond how existing law is interpreted and enforced by the Information Commissioner’s Office, there is also the issue of how the UK chooses to interact with other countries, and the boundaries it sets for data transfers with the rest of the world.
The UK became the 13th addition to the list of countries or territories that have been, at least in part, been granted EU adequacy. It joins Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. South Korea is in the process of obtaining adequacy.
Among those not on the list are Australia, India, Brazil, Russia, China, the whole of Africa and, perhaps most notably, the US.
While the UK government has often trumpeted the UK’s newfound ability to set its own laws, untethered from the framework of European legislation, the importance of maintaining adequacy is such that making any significant variance from the EU data protection mechanisms could be a very tricky move to pull off.
The respective relationships with the US will be an area that is watched particularly closely; between 2016 and July last year, data transfers between EU countries and the US were covered by the Privacy Shield agreement, which enabled US processors to self-certify their compliance with European data law.
But that arrangement has now been struck down by the Court of Justice of the EU, which found that Privacy Shield, and the wider US data-protection regime, do not provide protections for citizens’ data su¡cient to comply with European law.
Unless and until a replacement framework is agreed, for both the UK and the EU, the US remains a third-party country which, like another 150-plus nations around the world, is not considered to have adequate protections for personal data.
“The right to the protection of personal data is seen by the EU as a fundamental right, and they will look at whether the UK has respect for this. And they will look at it in the round.” Jon Baines, Mishcon de Reya
But now, for the first time, the UK has the ability – in theory, at least – to take a more permissive approach to transatlantic data transfers.
“Where it gets interesting is whether there will be a divergence between the UK and the EU,” Baines says. “It is possible that the UK could take a bold decision on the US to make data transfers easier. But that would almost certainly present a risk for the EU adequacy decision.”
He adds: “For all third-party countries around the world, the government has said that we going to look at our own adequacy assessments. And each of those is going to be scrutinised by the EU. While we have some freedom to set our own data laws and apply our own data regime, none of this is going to happen in a vacuum.”
Since Brexit was formalised earlier this year, there have not yet been any significant changes in the UK’s data-protection landscape. But there has been a shift in the tone adopted by politicians when discussing the matter.
“There have been a number of developments from the government in terms of policy aspirations which use the type of language that suggests that the UK wants to be ‘innovative’ in how data is used and wants to promote the data economy,” Baines says. “It is possible that there might be some pushing of the boundaries which might just give European legislators pause for thought.”
“There is so much politicking going on,” he adds. “It wouldn’t surprise me to hear [in the next few years] that the commission is concerned by developments in the UK – then there will probably be a little bit of rowing back, and then there will be an announcement then another [counter] announcement.”
After five years of Brexit, parties on both sides should, at least, be quite used to that.