EU Adequacy Decisions allow Data Flows with UK

The European Union (EU) member states have agreed that the UK’s standards for the protection of personal data are of a sufficient level that such data may continue to flow between the bloc and its former member. As such, the European Commission (EC) has taken two adequacy decisions, relating to the EU’s General Data Protection Regulation along with a directive on the processing of personal data connected with criminal offences.

These decisions will allow for the continued flow of customer data and is therefore of particular importance to UK businesses operating inside the EU. They also provide for the flow of data between police and prosecutors investigating cross-border crime across the Channel.

The EU cut it pretty fine in taking these decisions, making their minds up just two days before the 30 June deadline. Until then, a six-month grace period had been in place, during which flows had been allowed after the UK’s final exit from the EU prior to any adequacy decision being made.

UK businesses with operations in the EU or which are otherwise reliant on international data flows will hope that these decisions spell an end to the uncertainty regarding the possible impact of no decision being taken in time for the 30 June deadline.

However, the uncertainty may not be entirely resolved. While the EU has taken similar adequacy decisions in relation to the data standards of other countries, including Canada and New Zealand, this is the first instance of the EU including a “sunset clause”, meaning that the decisions will expire automatically expire after four years. The reason for this, presumably, is that unlike other free trade agreements where third countries have aligned with EU standards, the UK’s departure was intended to give the UK greater freedom and control, including the right to diverge from EU standards.

The EU has stated that the adequacy decisions will be renewed at the end of this period, provided the UK continues to comply with their standards of data protection, creating unwelcome uncertainty. Furthermore, the EC also has the power to intervene during this four-year period, if the UK at any point deviates from the current levels of data protection.

In theory the adequacy decisions may provide less reassurance for businesses than they might initially suggest –because any legislative changes in the UK’s personal data protection regime could trigger the EC to take action, and possibly halt the flow of data from the EU. In practice it remains to be seen whether the UK will actually introduce divergent legislation. GDPR standards have been widely accepted, and broadly welcomed, across businesses and the general public in the UK but it is certainly an area worth keeping an eye on if you are involved in the international transfer of data.

If you have any questions about the issues raised by this article please contact [email protected] or any of the other members of our Commercial & Technology team.