On 28 June, the European Commission adopted its Adequacy Decision for the UK, putting to an end (at least for now), the uncertainty surrounding EU to UK personal data flows. This averted a “cliff edge” in the shape of the 30 June expiry of the temporary data flow "bridging mechanism" in the UK-EU Trade and Cooperation Agreement. Prior to this, the European Commission had carried out a formal assessment of the UK’s data protection regime, publishing a draft decision, which was then approved by the EU Member States in the committee, established by Art. 93(1) of the GDPR. The UK government’s press release is available here.
Consequences for businesses
The Adequacy Decision means that personal data can continue to flow from the EU to the UK, on the basis the UK currently guarantees an essentially equivalent level of protection to that provided under EU law. This avoids the need for EU exporters to satisfy the restrictions in the EU GDPR, such as entering into standard contractual clauses (SCCs) with the UK entity importing the data. Unusually, for the first time this Adequacy Decision includes a sunset clause, requiring it to be renewed after 4 years (this is different from the “re-assessment” approach taken with earlier country adequacy decisions).
It is likely that this was included in recognition of concerns expressed by the EU Parliament’s Civil Liberties (LIBE) Committee about the current (and possible future) adequacy of the UK’s data protection regime, centred on the UK’s bulk data collection practices. Another challenge for the EU was addressing the potential for the UK’s future regulatory divergence from EU norms. Now it has been granted, the European Commission will continue to monitor relevant developments in UK law to confirm that adequate standards of protection are maintained, failing which, the Adequacy Decision can be suspended or repealed in whole or part, even before the expiry of the initial four year period.
What’s next for reform of UK data protection law?
The Adequacy Decision did not happen in a vacuum. It follows the publication, on 16 June 2021, of the UK Government’s Taskforce on Innovation, Growth and Regulatory Reform’s (TIGRR) report on next steps for the UK, as well as the Department of Digital, Culture, Media and Sport’s publication of its response to consultation on the UK’s National Data Strategy on 18 May 2021.
TIGRR recommends that reform of UK GDPR should be a high priority for the UK. It also concludes that the GDPR is out of date and should be revised/replaced with a new UK framework for data protection to facilitate innovation (e.g. in AI technologies) and to reduce the compliance burden which it says is ‘prescriptive and inflexible and particularly onerous for smaller companies and charities to operate.’
Balanced against this are recent public statements from the Minister of State for Media and Data, confirming the UK remains committed to data protection and that the public response to the National Data Strategy consultation made it clear that any progress in reforming data protection laws could only happen if there was sufficient public trust. The aim is for the UK to make changes that are beneficial, while also persuading both the EU and public that the UK continues to have high standards.
The present signs are that any post-Brexit ‘reset’ of UK data protection regulation will be less radical than some of the proposals in the TIGRR report and will be undertaken with an eye firmly placed on maintaining trust in the UK’s data protection environment and therefore its adequacy status.