Country receives draft adequacy decision
Credit: Adobe Stock
The EU has given the provisional green light to the UK’s privacy regime, meaning business, government and law-enforcement data should soon be allowed to travel unfettered across the English Channel and beyond.
Now the UK has left the bloc, it requires the granting of ‘adequacy’ status to ensure that, in the long term, data can continue to be transferred between organisations in the EU and those in this country.
This requires the European Commission to rule that a country’s data-protection and privacy regulations are compatible with EU law and procedures. Nations that have previously been granted adequacy status include Argentina, Uruguay, Canada, Switzerland, Israel, Japan, and New Zealand.
The EC has now granted two ‘draft’ adequacy statuses to the UK: one for the General Data Protection Regulation; and the other for EU’s Law Enforcement Directive.
The decisions of the commission will now be put to the European Data Protection board which will, in turn, make a non-binding recommendation. This will then be put forward for formal approval by the remaining 27 member states.
Related content
- Achieving EU data adequacy ‘increasingly challenging’, minister admits
- EU data transfers: UK legislates ‘transitional’ measures for post-transition period
- Policy on public sector use of US cloud under review as uncertainty grows over post-Brexit data transfers
Didier Reynders, commissioner for justice, said: “A flow of secure data between the EU and the UK is crucial to maintain close trade ties and cooperate effectively in the fight against crime. Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the UK after it has left the EU. Now European data protection authorities will thoroughly examine the draft texts. EU citizens’ fundamental right to data protection must never be compromised when personal data travel across the Channel. The adequacy decisions, once adopted, would ensure just that.”
The government said that it provided the EC with the relevant material for assessment “in a timely manner” in March 2020 and that the lack of an adequacy decision in time for the UK’s ultimate departure from the EU is because “the commission did not finalise draft decisions in time”.
“The UK government now urges the EU to swiftly complete this technical process for adopting and formalising these adequacy decisions as early as possible,” it added.
In the meantime, data flows between the UK and the EU are covered by a “bridging mechanism” that applies until 30 June – or until adequacy takes effect, whichever is sooner.
If and when adequacy is ratified, it will apply for a period of four years, after which time it will be reviewed and – if the UK’s privacy regime is deemed to remain adequate – renewed.
Julian David, chief executive of industry body techUK, said that decision to grant the UK with draft adequacy “is warmly welcomed” businesses.
“The tech sector… has been making clear the importance of a mutual data adequacy agreement since the day after the referendum,” he added. “Receiving data adequacy, alongside the EU-UK Trade and Cooperation Agreement, will set a solid foundation for digital trade with the EU, including strong non-discrimination clauses and positive data flows provisions, that will give businesses the confidence to invest.”
