EU Releases Draft Decision on UK Data Privacy Standards
Post Series: Data Privacy Legislation
2.EU Releases Draft Decision on UK Data Privacy Standards
4.Infrastructure Bill Allocates Nearly $2 Billion to Cybersecurity
Since the start of 2021, post-Brexit data relationships between the European Union and the United Kingdom have been governed by The EU-UK Trade and Cooperation Agreement, which established a 4-6 month temporary period where data could flow freely between the two jurisdictions.
Beyond that, the future was unclear. The grace period could have been extended to a year. The agreement prohibited either party from restricting cross-border data transfers for at least three years, so it seemed like some level of normalcy would remain– at least for the short term.
Though the UK’s current data privacy regime is just an amended version of the General Data Privacy Regulation, the UK is still considered a third-country under GDPR. Just like all other third countries, free-flowing data transfers would only be allowed if the EU deems its privacy regime “adequate” in ensuring a comparable level of data privacy to its citizens.
Thus, the long-term future of GDPR-compliant data transfers between the UK and the EU has been riding on one decision: is the UK’s data privacy regime comprehensive enough to ensure “adequate” protection to EU citizens?
In a draft adequacy decision on the matter, the EU seems ready to accept that the UK offers adequate data protections for EU data subjects. In fact, “adequate” might be putting it lightly. The European Commission admitted that the UK’s level of protection is “essentially equivalent” to the EU’s. Of course, this is just a draft, so it needs to be reviewed by the European Data Protection Board before it is approved.
That being said, this is promising for businesses that transfer data from the EU and the UK, especially considering that the UK deemed the EU as adequate on a transitional basis as well, a position that is likely to hold until 2024.
Something similar applies for the EU’s adequacy decision. Even if it is confirmed, it won’t last forever. Instead, it will be reviewed by both the EU and the UK to ensure no changes to their data protection regimes have hindered their adequacy. These reviews will occur every four years– a longer period than other “adequate” jurisdictions, like Japan, receive under GDPR.
There is concern over how this decision will hold up in light of the Schrems II decision that struck down the EU-US Privacy Shield on the grounds that US surveillance laws are too incompatible with GDPR to guarantee an adequate level of privacy for transfers of EU data into the US. Considering the recent scrutiny the UK’s own surveillance laws have received from the European Court of Human Rights, it’s hard to be certain of the decision’s long-term prospects.
This scrutiny has bled into the adequacy decision, where the EC actively considers whether the UK’s restriction of human rights in the cases of immigration or safeguarding national security is problematic enough to undermine its level of protection. However, it concludes that since these exemptions only exist on a case-by-case basis, it is unlikely to have any effect on the decision.
If adopted, this decision means that data will continue to flow freely between the UK and EU without the need for standard contractual clauses, binding corporate rules or other additional safeguards–the existing UK law would be sufficient for data exporters.
Of course, that doesn’t mean that the UK will get the same treatment it would if it were still in the EU. Things might change for companies that process data in both jurisdictions or are based in one and target individuals in the other.
In these cases, GDPR’s “one-stop shop” mechanism–where organizations could use a representative or data authority from one EU country to handle compliance in the entire EU–no longer applies. Depending on what gap is left in their current compliance process, companies may have to appoint an additional data protection officer in either the UK or EU. Employees hired as data protection officers for the EU will no longer have the UK in their jurisdiction. Organizations whose lead supervisor authority for GDPR was the UK Information Commissioner’s Office (ICO) will need to find a new EU-based authority in order to comply.
Of course, this decision is conditional on the UK’s continued adherence to its current privacy regulation, which mirrors many of the principles, rights and safeguards established under GDPR. This decision will make it challenging for the UK to make any changes to its privacy law, because any such changes could potentially override the decision.