Following Brexit, the European Commission is working on an adequacy decision concerning the UK, which will be announced before the end of June 2021. This is good news for businesses as it will make transfer of personal data from the European Economic Area (“EEA”) to the UK much more straightforward and will mean that there are no additional safeguards or documents for businesses to put in place to legitimise the flow of personal data to the UK. Although the UK’s data protection regime currently mirrors GDPR, there is some concern that laws will diverge over time. As such, the most likely outcome is that the UK is granted an adequacy decision for four years, which is subject to ongoing review.
International transfers of personal data are common for employers, whether that may be accessing information about employees in other countries, working with international colleagues on HR projects or using software which is hosted outside of the UK.
Under GDPR, transfers of personal data from within the European Economic Area (EEA) to outside the EEA are only permissible where appropriate safeguards are put in place unless the country’s data privacy laws are determined to be “adequate” by the EU.
Following Brexit, the UK will be outside the EEA and so in the absence of an adequacy decision, transfers from the EU to the UK will need be subject to additional measures and employers would need to put additional documentation in place, such as Standard Contractual Clauses. An agreement was reached in December 2020 between the UK and the EU, allowing the UK a six-month grace period for the free flow of data until the end of June 2021.
What might an adequacy decision look like?
The European Data Protection Board (EDPB) has published its Opinion on the European Commission's draft adequacy decisions in relation to the UK. If granted (which is expected), the adequacy decision will make the continued flow of data between the EEA and the UK much easier and will avoid the need for businesses to put additional measures in place such as Standard Contractual Clauses.
However, any EU adequacy decision is likely to be time-limited to four years and subject to ongoing review, in case UK law develops in a direction that the EU later considers to be inconsistent with GDPR requirements.
In terms of next steps, the European Commission will seek approval on the UK adequacy decision from each EU member state and has indicated that it will make its final adequacy decision before the end of the grace period (i.e., before the end of June 2021). As we have noted above, we expect any adequacy decision to be valid for four years only, after which it will be reviewed.