Out-Law / Your Daily Need-To-Know

Edwards: UK knows value of EU data protection ‘adequacy’

Out-Law News | 30 May 2022 | 11:16 am | 2 min. read

The UK government knows the value of retaining an EU designation that supports the free flow of personal data between the EU and UK, the UK’s information commissioner has said.

In a speech in Brussels last week, John Edwards said he is “confident” that forthcoming reforms to UK law will not lower standards of data protection that apply to European citizens’ data when that data is transferred to the UK.

Edwards said: “There is law reform coming in the UK. You will hear politicians speak of the need to secure a Brexit dividend, and rhetoric describing the benefits of being free of the red tape of European regulation. We are yet to see the proposals in black and white after the consultation period, but I can assure you that I, and my staff, have worked closely with officials and ministers to ensure that all that is good about the GDPR is not traded away for hypothetical gains.”

“Decision makers in the UK are well aware of the value of retaining the European Commission’s adequacy determination, and the costs of losing it. I am confident that what will emerge from the reform process will reassure Europeans that Europeans data in the UK will continue to enjoy the same high standard of protection that it does within the EU. I urge you to look beyond any political rhetoric, and stress test the proposal against a criteria of risk to EU interests, and I am sure when you do so you will find it holds up,” he said.

UK data protection law was last substantially updated in 2018 when the General Data Protection Regulation (GDPR) took effect, though the EU legislation was subsequently converted into UK law with some minor amendments at the point that Brexit took effect. Despite the relatively recent overhaul and the fact many businesses surveyed reported seeing benefits from the GDPR, the UK government consulted on possible reforms to data protection law last year. It recently signalled its plans to introduce a Data Reform Bill into parliament over the next year. Further details of its policy intentions are expected to be outlined shortly in its consultation response.

Both the UK GDPR and the EU GDPR place restrictions on the transfer of personal data outside of the jurisdiction, reflecting the fact that data protection standards vary globally. The legislation requires exporters to ensure, via the legal tools available to them, that the transferred data is governed in accordance with the data protection standards that apply in the UK.

One mechanism that the EU uses to support international data transfers is ‘adequacy’ decisions. These represent designations by the EU that specific countries or territories to which EU citizens’ personal data might be transferred provide for data protection standards that are ‘essentially equivalent’ to those that apply when the data is being processed within the EU. Where an adequacy decision applies, organisations are free to transfer personal data from the EU to the designated jurisdictions without having to apply other legal tools for data transfers.

The European Commission has issued several adequacy decisions – including in respect of the UK post-Brexit. Unusually, the adequacy decisions relating to the UK included a ‘sunset clause’, meaning that they will expire after four years and will only be renewed if the UK continues to ensure an adequate level of protection. Some businesses fear that the UK government’s plans for data protection reform will diverge too far from the EU GDPR and cause EU policymakers to reconsider the UK’s adequacy status.

Data protection law expert Rosie Nance of Pinsent Masons said: “Maintaining UK ‘adequacy’ will be important to ensuring international organisations can continue to transfer data internally and externally without significant additional compliance burdens.” 

A recent survey of UK businesses commissioned by the government found that 10% of all UK businesses send or received digitised data, whether personal data or non-personal data, to or from organisations based outside of the UK. For those organisations where international data flows include transfers between the UK and European Economic Area (EEA), maintaining UK adequacy allows those transfers to continue without the need to in place standard contractual clauses or another ‘appropriate safeguard’ under the GDPR.