On February 19 2021, the European Union Fee issued its draft adequacy decision for knowledge flows between the European Union (EU) and United Kingdom (UK).
While extensively anticipated, this draft choice will present some assurance concerning the persevering with free circulate of information between the EU and UK though companies ought to take heed of some ongoing regulatory points.
Put up-Brexit (the UK’s exit from the European Union):
The UK largely adopted the EU GDPR as standalone UK legislation
The UK turned a “third nation” for knowledge flows from the EU
Transitional provisions have been utilized to permit knowledge flows between the UK and the EU. The EU-UK Commerce and Co-operation Settlement agreed on December 24, 2020 included a “bridge interval” of 4 to 6 months to permit for the EU Fee to undertake an adequacy choice beneath the GDPR for the UK
The UK deemed the EEA to be satisfactory on a transitional foundation, a place more likely to be the case till 2024. The UK additionally retained the EU customary contractual clauses as a switch mechanism
The UK additionally adopted earlier EU adequacy choices which means that knowledge might proceed to circulate, as earlier than, to international locations outdoors of the EU, comparable to Japan, with adopted adequacy choices. The UK has stated it is going to preserve these adequacy choices beneath evaluation
The pace of subject of this draft choice will present some consolation to companies working throughout the EU and UK, however there are a number of key points to fastidiously contemplate. The draft choice should nonetheless be reviewed by the European Information Safety Board after which wants the “inexperienced gentle” from representatives of EU member states beneath the “comitology” process.
What Does Adequacy Imply?
In short, an adequacy choice implies that the EU has accepted that the UK knowledge safety regime affords satisfactory protections for EU knowledge topics.
If the choice is adopted, knowledge might proceed to circulate between the EU and UK with out the necessity for added provisions, comparable to customary contractual clauses or the adoption of binding company guidelines.
There had been some query as as to if particular phrases and circumstances can be included to keep in mind the current Schrems II ruling by the European Court docket of Justice, however the draft adequacy choice confirms that current UK legislation is ample, and that no additional safeguard steps want be taken by knowledge exporters.
Regulatory Oversight – No “One Cease Store”
Regardless of the adequacy choice, the UK and the EU are nonetheless topic to separate regulatory regimes.
From January 1, 2021 organisations that course of knowledge within the EU and the UK (or if UK primarily based, provide items or companies, or goal people within the EU and vice versa) are actually topic to each the EU GDPR and the UK GDPR and, relying on their operations might must:
Appoint an EU consultant or a UK consultant
Take into account which EEA or EU supervisory authority might be their lead authority, provided that the UK Data Commissioner’s Workplace might now not be the lead supervisory authority for knowledge controllers and knowledge processors situated within the UK and not using a important institution within the EEA.
Adequacy and the Longer Time period
The Adequacy choice, as soon as adopted, is not going to be a everlasting place. Will probably be re-examined each 4 years by the EU and by the UK. Nonetheless, this evaluation interval is longer than the evaluation interval in different adequacy choices, for instance the Japan adequacy choice permits for a evaluation each two years, topic to affirmation after the primary two-year evaluation.
Some threat stays that any EU Adequacy choice could also be challenged in an analogous option to the Protected Harbor and Privateness Protect provisions which have been not too long ago challenged within the Schrems II case. This can be thought-about a heightened threat given the European Court docket of Human Rights ruling concerning the UK mass surveillance programme.
Nonetheless, the EU UK Commerce and Co-operation Settlement does embody provisions which foresee the chance of future declarations of illegal transfers. The Settlement outlines the steps to be taken by the Partnership Council to agree on joint interpretations, advocate acceptable actions, undertake acceptable diversifications and lengthen any suspensions. These provisions are primarily based on the necessity for future co-operation, and the necessity to take steps to permit knowledge to proceed to circulate between the EU and the UK.
Failing any decision via the EU-UK Commerce and Co-operation Settlement provisions, various mechanisms might should be adopted to take care of any invalidation, for instance the adoption of ordinary contractual clauses
Ongoing Opinions and Steerage – Some Divergence?
Regardless of the Adequacy choice, organisations working within the EU and UK might want to proceed to observe developments in each areas. A number of examples to keep in mind beneath:
The EU is at the moment consulting on revisions to the usual contractual clauses. On condition that the UK has adopted the earlier customary contractual clauses, it stays to be seen whether or not the UK may even undertake any revised model
On February 2, 2021, the EU issued guidance on well being analysis and secondary use of information. Per week later, on February 9, 2021, the UK introduced a review into the use of health data for research and analysis. We are going to cowl these developments in a separate future briefing
On the theme of facilitating continued circulate of information, the ICO printed its lengthy awaited Data Sharing Code of Practice (the Code) on the finish of final 12 months. Because of the detailed approach through which the Code covers knowledge sharing within the context of the GDPR, it is going to even be of wider curiosity to knowledge controllers outdoors of the UK post-Brexit