On 10 January 2020, the European Commission’s Task Force for Relations with the United Kingdom (“UKTF”) gave an encouraging update on the potential adoption of an “adequacy decision” under the General Data Protection Regulation (“GDPR”) in relation to the UK's level of personal data protection after its withdrawal from the EU.
The UKTF is the EU body coordinating the issues related to the UK’s withdrawal from the EU. In their most recent negotiation document: "Internal EU27 preparatory discussions on the future relationship: "Personal data protection (adequacy decisions); Cooperation and equivalence in financial services", the European Commission (“Commission”) stated that it will start the assessment with respect to the UK’s adequacy “as soon as possible” after the UK's withdrawal from the EU under the terms of the current Withdrawal Agreement (scheduled for 31 January 2020).
The Commission will endeavour to adopt an adequacy decision by the end of 2020, provided applicable conditions are met. The adoption of the proposed adequacy decision will involve:
- a proposal from the Commission;
- an opinion from the European Data Protection Board;
- approval from representatives of EU countries; and
- the adoption of the adequacy decision by the European Commissioners.
The proposed time frame of 11 months is a comparatively short period of time for the Commission to reach a decision on adequacy. In the meantime, under the terms of the current Withdrawal Agreement, the UK will enter a “transition period”, during which GDPR will continue to apply.
In September 2019, we highlighted that, in the event of a “no deal Brexit”, since no recognition of the UK’s data protection regime would be in place, the UK would join the list of “third countries” for the purposes of EU personal data transfers, resulting in the need for “appropriate safeguards” under Article 46 of GDPR to be adopted by organisations in the EEA who transfer personal data to the UK.
However if an adequacy decision is adopted, the Commission will recognise that the UK ensures an adequate level of data protection for data subjects and that personal data can flow from the EEA to the UK without any further safeguards being necessary.
The most recent update will serve as a positive development for Irish-based organisations that currently transfer personal data to the UK.