Photo taken by Scott Graham.
Draft UK Adequacy Decision Published
The Brexit transition period formally stopped at the end of 2020. We recently wrote an article on what happens to data protection laws in the UK post-Brexit (you can read all about that here). Fortunately for businesses, the vast majority of day-to-day data protection activities and laws remain unchanged from when the UK was in the EU. There is, however, still some uncertainty over whether the EU will grant the UK an adequacy decision. An adequacy decision would allow the uninterrupted flow of personal data between the EU and UK (as if the UK had never left the EU). This would be the best outcome for UK and EU businesses. If an adequacy decision is not granted by the EU, then the UK would be seen as a ‘third country’ under the GDPR. This would create significant paperwork for EU and UK businesses involving the rewriting of many contracts.
The deadline to make this adequacy decision is June of 2021 and it seems that the EU Commission have initially given the green light. The EU Commission have published a draft document granting the UK adequacy status. This is only the initial phase of the decision-making process; the decision still needs to be approved by the European Data Protection Board (a committee of the Supervisory Authorities in the EU).
There are still concerns in the privacy world over the UK’s controversial ‘Investigatory Powers Act 2016’ (colloquially known as the Snoopers Charter). This controversial UK law gives the government the power to perform mass surveillance on the data passing through the UK. This law alone may be enough to give the European Data Protection Board a reason to deny this draft decision. As the prominent privacy rights campaigner, Max Schrems, succinctly put:
‘There seems to be little doubt about adequacy of the commercial data use. At the same time there are obviously issues on UK government surveillance on EU data, which requires deeper analysis.’ – Max Schrems 19/02/2021
The approval of a UK adequacy status would be excellent news for EU and UK businesses. It would allow the uninterrupted flow of personal data between the EU and UK (as if the UK had never left the trading bloc). Unfortunately the decision relies on more than simply what is best for business.
Tacita will provide updates on this story as it progresses.
About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. This company helps clients maintain their GDPR compliance by undertaking independent external GDPR assessments in a cost-effective manner with minimal disruption to the client. Offering clear and actionable solutions, the company offers an unbiased service ensuring their clients save time, money, and energy when it comes to their GDPR requirements. Tacita provides a three-step process, which includes assessments, recommendations and resolutions with detailed reporting and data processing, record processing and privacy policies. Full details can be found at https://www.tacita.io/