On March 19, 2021, the Secretary of State for Digital, Culture, Media & Sport (“DCMS”) signed a Memorandum of Understanding (“MoU”) with the UK Information Commissioner’s Office (the “ICO”) with respect to new UK adequacy assessments following the UK’s departure from the European Union. The MoU sets out how DCMS and third countries will negotiate adequacy decisions, referred to under the MoU as “adequacy regulations”. These permit the free transfer of personal data collected in the UK to the relevant “adequate” jurisdiction.
The UK has adopted the existing adequacy decisions of the European Commission prior to Brexit, such as those relating to Argentina, Israel and New Zealand, but will determine any future UK adequacy decisions. Although these decisions will be the responsibility of the Secretary of State, the Secretary must consult the ICO (and other persons they consider to be appropriate) prior to making any such decision. DCMS and the ICO are required by the MoU to work closely together, sharing expertise and information, but ultimately DCMS is not bound in its decisions by the views of the ICO.
The MoU sets out the four phases through which DCMS will conduct its adequacy work, commencing with “gatekeeping”, the process by which a specific team within DCMS will consider whether to commence an assessment of a third country for adequacy purposes. This phase is followed by an assessment (based on the requirements of Article 45 of the GDPR), a recommendation to the Secretary of State and finally a procedural phase, during which the adequacy regulations will be drafted and laid before parliament. The ICO and DCMS are expected to meet for discussion at various intervals during this process.
The UK government stated after signing the MoU that it “intends to expand the list of adequate destinations in line with our global ambitions and commitment to high standards of data protection.”