The European Commission has now announced (on 19 February) that it has launched the process that would see the adoption of two data adequacy decisions for the transfer of personal data to the UK from the EU.
An EU-UK adequacy decision has been keenly awaited and the two draft decisions, one under Article 45(3) of the GDPR and the other under Article 36(3) of the Law Enforcement Directive (LED), indicate the EU's acceptance that the UK's data protection regime is substantially equivalent to the EU regime. This announcement has been welcomed by the UK government and is good news for both UK and EU businesses which depend on the ongoing transfer of data to the UK, particularly those in the insurance, health, and technology sectors. Failure to secure an adequacy decision would, it is estimated, have cost UK business upwards of £1.6billion.
The next step involves a formal opinion from the European Data Protection Board (EDPB), and the Commission will then seek confirmation from Member States' representatives, after which the adequacy agreement will be formalised. The formal adequacy agreement will then run for four years after which it would be subject to review and extension if the level of data protection in the UK continues to be adequate. The temporary interim provision under the Brexit Trade Deal will afford the continued and uninterrupted flow of personal data from the EEA to the UK until 30 June 2021, or the date which the EC issues their final adequacy decisions, whichever is the earliest. Whilst the EU has not issued a timetable for the formal decision it is to be expected that it will be confirmed prior to the 30 June deadline in order to ensure continuity.
Following the end of the Brexit transition period, the UK data processing regime is now governed by the UK GDPR and the Data Protection Act 2018, which are derived from and almost identical in substance to the EU GDPR and the LED. The EU has previously issued adequacy decisions to other third nations including, Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay. The EU's statement sounds a positive note as it acknowledges that as the UK is committed to remaining a party to the European Convention of Human Rights and "Convention 108" of the Council of Europe, and Vera Jourova, Vice-President for Values and Transparency has said that "The UK has left the EU but not the European privacy family". Nevertheless, the process includes "clear and strict" review mechanisms; if there is a later divergence between the UK and the EU regimes, future adequacy agreements may not be granted.
This announcement will provide much needed clarity, and will assure businesses that the transfer of business critical personal data can continue.