Draft UK Adequacy Decision Published

Someone signing a document.
Photo taken by Scott Graham.

The Brexit transition period formally stopped at the end of 2020. We recently wrote an article on what happens to data protection laws in the UK post-Brexit (you can read all about that here). Fortunately for businesses, the vast majority of day-to-day data protection activities and laws remain unchanged from when the UK was in the EU. There is, however, still some uncertainty over whether the EU will grant the UK an adequacy decision. An adequacy decision would allow the uninterrupted flow of personal data between the EU and UK (as if the UK had never left the EU). This would be the best outcome for UK and EU businesses. If an adequacy decision is not granted by the EU, then the UK would be seen as a ‘third country’ under the GDPR. This would create significant paperwork for EU and UK businesses involving the rewriting of many contracts.

The deadline to make this adequacy decision is June of 2021 and it seems that the EU Commission have initially given the green light. The EU Commission have published a draft document granting the UK adequacy status. This is only the initial phase of the decision-making process; the decision still needs to be approved by the European Data Protection Board (a committee of the Supervisory Authorities in the EU).

There are still concerns in the privacy world over the UK’s controversial ‘Investigatory Powers Act 2016’ (colloquially known as the Snoopers Charter). This controversial UK law gives the government the power to perform mass surveillance on the data passing through the UK. This law alone may be enough to give the European Data Protection Board a reason to deny this draft decision. As the prominent privacy rights campaigner, Max Schrems, succinctly put:

‘There seems to be little doubt about adequacy of the commercial data use. At the same time there are obviously issues on UK government surveillance on EU data, which requires deeper analysis.’

The approval of a UK adequacy status would be excellent news for EU and UK businesses. It would allow the uninterrupted flow of personal data between the EU and UK (as if the UK had never left the trading bloc). Unfortunately the decision relies on more than simply what is best for business.

Tacita will provide updates on this story as it progresses.

About Us: Tacita are GDPR compliance experts. Tacita help clients achieve and maintain GDPR compliance. Get in touch to explore our range of GDPR services including the Tacita GDPR Audit, GDPR Consultant Service and the GDPR Toolkit.

Share this article:

Facebook
Twitter
LinkedIn
WhatsApp