On February 19 2021, the European Union Fee issued its draft adequacy decision for information flows between the European Union (EU) and United Kingdom (UK).
While extensively anticipated, this draft determination will present some assurance in regards to the persevering with free movement of knowledge between the EU and UK though companies ought to take heed of some ongoing regulatory points.
Put up-Brexit (the UK’s exit from the European Union):
- The UK largely adopted the EU GDPR as standalone UK legislation
- The UK turned a “third nation” for information flows from the EU
- Transitional provisions have been utilized to permit information flows between the UK and the EU. The EU-UK Commerce and Co-operation Settlement agreed on December 24, 2020 included a “bridge interval” of 4 to 6 months to permit for the EU Fee to undertake an adequacy determination underneath the GDPR for the UK
- The UK deemed the EEA to be enough on a transitional foundation, a place more likely to be the case till 2024. The UK additionally retained the EU normal contractual clauses as a switch mechanism
- The UK additionally adopted earlier EU adequacy selections which means that information might proceed to movement, as earlier than, to nations exterior of the EU, comparable to Japan, with adopted adequacy selections. The UK has stated it would preserve these adequacy selections underneath evaluation
The velocity of problem of this draft determination will present some consolation to companies working throughout the EU and UK, however there are just a few key points to rigorously take into account. The draft determination should nonetheless be reviewed by the European Information Safety Board after which wants the “inexperienced gentle” from representatives of EU member states underneath the “comitology” process.
What Does Adequacy Imply?
In short, an adequacy determination implies that the EU has accepted that the UK information safety regime affords enough protections for EU information topics.
If the choice is adopted, information might proceed to movement between the EU and UK with out the necessity for added provisions, comparable to normal contractual clauses or the adoption of binding company guidelines.
There had been some query as as to whether particular phrases and circumstances can be included to consider the latest Schrems II ruling by the European Courtroom of Justice, however the draft adequacy determination confirms that current UK legislation is adequate, and that no additional safeguard steps want be taken by information exporters.
Regulatory Oversight – No “One Cease Store”
Regardless of the adequacy determination, the UK and the EU are nonetheless topic to separate regulatory regimes.
From January 1, 2021 organisations that course of information within the EU and the UK (or if UK based mostly, supply items or companies, or goal people within the EU and vice versa) at the moment are topic to each the EU GDPR and the UK GDPR and, relying on their operations might have to:
- Appoint an EU consultant or a UK consultant
- Think about which EEA or EU supervisory authority might be their lead authority, on condition that the UK Info Commissioner’s Workplace might not be the lead supervisory authority for information controllers and information processors positioned within the UK and not using a major institution within the EEA.
Adequacy and the Longer Time period
The Adequacy determination, as soon as adopted, is not going to be a everlasting place. It is going to be re-examined each 4 years by the EU and by the UK. Nevertheless, this evaluation interval is longer than the evaluation interval in different adequacy selections, for instance the Japan adequacy determination permits for a evaluation each two years, topic to affirmation after the primary two-year evaluation.
Some threat stays that any EU Adequacy determination could also be challenged in an identical strategy to the Secure Harbor and Privateness Defend provisions which had been not too long ago challenged within the Schrems II case. This can be thought-about a heightened threat given the European Courtroom of Human Rights ruling concerning the UK mass surveillance programme.
Nevertheless, the EU UK Commerce and Co-operation Settlement does embody provisions which foresee the chance of future declarations of illegal transfers. The Settlement outlines the steps to be taken by the Partnership Council to agree on joint interpretations, advocate acceptable actions, undertake acceptable variations and prolong any suspensions. These provisions are based mostly on the necessity for future co-operation, and the necessity to take steps to permit information to proceed to movement between the EU and the UK.
Failing any decision by way of the EU-UK Commerce and Co-operation Settlement provisions, various mechanisms might should be adopted to take care of any invalidation, for instance the adoption of ordinary contractual clauses
Ongoing Opinions and Steerage – Some Divergence?
Regardless of the Adequacy determination, organisations working within the EU and UK might want to proceed to observe developments in each areas. A couple of examples to remember under:
- The EU is at the moment consulting on revisions to the usual contractual clauses. Provided that the UK has adopted the earlier normal contractual clauses, it stays to be seen whether or not the UK can even undertake any revised model
- On February 2, 2021, the EU issued guidance on well being analysis and secondary use of knowledge. Every week later, on February 9, 2021, the UK introduced a review into the use of health data for research and analysis. We’ll cowl these developments in a separate future briefing
- On the theme of facilitating continued movement of knowledge, the ICO printed its lengthy awaited Data Sharing Code of Practice (the Code) on the finish of final 12 months. As a result of detailed means by which the Code covers information sharing within the context of the GDPR, it would even be of wider curiosity to information controllers exterior of the UK post-Brexit