The long-awaited data adequacy agreement between the European Union and Brexit Britain has been finally been approved - but with a sunset clause built-in in case the UK makes good on its threats to deviate from its current adherence to the existing European data regime.
When Brexit kicked in at the start of this year, one missing element was a data adequacy arrangement which would allow for data to flow between the UK and EU member states without hindrance or resort to costly mechanisms, such as Standard Contractual Clauses.
During Brexit negotiations, the UK had committed to adhering to the existing data regime based on EU law, including GDPR. In February the agreement between London and Brussels was teed up in principle, but that was around about the time that the UK Government started talking up the idea of breaking away from the status quo, with Secretary of State for Digital Oliver Dowden briefing journalists:
I'm seeking to set out where we are going to go with data now that we have left the European Union and are not subject to EU jurisdiction… I think there's real opportunities for driving growth in respect of data…There are obviously areas where I think we can make more progress. In our rule making, we can take a slightly less European approach, as set out in GDPR, by focusing more on the outcomes that we want to have and less on the burdens of the rules imposed on individual businesses.
That’s enough to set alarm bells ringing in Brussels, so while the European Commission has now signed off on two adequacy decisions - one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive - there’s a four year window before these need to be reviewed and renewed to make sure the UK is still toeing the line. And the Commission has also warned it could intervene before that four year period is over if Britain deviates from the current EU standards.
Věra Jourová, Vice-President for Values and Transparency, said:
The UK has left the EU, but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today. At the same time, we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK's privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.
Meanwhile Didier Reynders, Commissioner for Justice, added:
After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”
As for the UK, Dowden stated:
After more than a year of constructive talks it is right the European Union has formally recognised the UK’s high data protection standards. This will be welcome news to businesses, support continued cooperation between the UK and the EU and help law enforcement authorities keep people safe. We will now focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people’s safety and privacy.
Whatever lies ahead, the signing off of the adequacy decisions has come as a welcome relief to the UK tech sector, with Julian David, CEO at industry body techUK, commenting
Securing an EU-UK adequacy decision has been a top priority for techUK and the wider tech industry since the day after the 2016 referendum. The decision that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards and is of vital importance to UK-EU trade as the free flow of data is essential to all business sectors. The data adequacy decision also provides a basis for the UK and EU to work together on global routes for the free flow of data with trust, building on the G7 Digital and Technology declaration and possibly unlocking €2 trillion of growth.
David also noted however that the UK now needs to look at what form its post-Brexit data regime needs to take:
The UK must also now move to complete the development of its own international data transfer regime in order to allow companies in the UK not just to exchange data with the EU, but also to be able to access opportunities across the world.
It’s clear that this is not the end game for either side as the Commission is clearly nervous about UK intent. Jon Baines, Senior Data Protection Specialist at law firm Mischon de Reya, noted that:
Uniquely, these adequacy decisions contain a "sunset clause", under which they will expire after four years, and must be reassessed and renewed at that point. It is also important to note that the decisions are not without their critics, and it is possible that there may be legal challenges, which could ultimately end up at the European Court of Justice. What is certain that the topic of international transfer of personal data will continue to exercise businesses – and lawyers – for some time to come.
A relief, but far from the end of the story. The UK needs to play its next moves very carefully indeed. It will come under pressure from the likes of US to adopt a less rigorous data regime and the temptation to go along with this will be alluring. But as we warned back in March, playing dare with data adequacy is a digitally dumb thing to do.