Out-Law News | 19 Feb 2021 | 4:26 pm | 4 min. read
The draft decisions of the Commission, which still need to be formally approved by representatives of EU member state governments, concern both the EU General Data Protection Regulation and the Police and Criminal Justice Data Protection Directive that sits alongside it.
Clarity on this issue in the weeks ahead will allow businesses to focus on more exciting data-related initiatives
The draft decisions show that the Commission intends to designate UK data protection standards as being "essentially equivalent" to those that apply in the EU. Confirmation of that would bring long term certainty for businesses that have been "paralysed" by uncertainty concerning future cross-border data flows in Europe in light of Brexit, said data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.
"This announcement by the European Commission will come as a relief to many businesses," Wynn said. "Uncertainty over EU-UK data flows has been one of the biggest issues for businesses to deal with coming out of Brexit. Not knowing whether the EU would grant data adequacy to the UK has forced some companies to put on hold data innovation projects and instead retain some budget to potentially introduce new safeguards for EU-UK data transfers in order to comply with EU data protection laws in the event an adequacy decision was not granted."
"Although the Commission's decisions have still to be approved and adopted, this is a major step forward to addressing the paralysing uncertainty for businesses. Clarity on this issue in the weeks ahead will allow businesses to focus on more exciting data-related initiatives at a time when data-driven innovation is becoming increasingly central to business competitiveness across sectors," she said.
Dr. Totis Kotsonis
Partner, Head of Subsidies, Procurement, Trade Agreements and Trade Remedies
When seeking comprehensive trade agreements with other strategic partners, there might be demands for the UK to relax our current data protection standards
Dr. Totis Kotsonis, who specialises in international trade law at Pinsent Masons, said that, pending approval, the UK's 'adequacy' status in future will depend on it maintaining current data protection standards under potential pressure and incentives to adjust its approach from other trade partners. Commission vice president, Věra Jourová, highlighted that the Commission has "clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development of the UK system after the adequacy would be granted".
Kotsonis said: "Ultimately, we expect that the UK would be championing rigorous data protection standards in the context of negotiating further bilateral or plurilateral trade agreements and indeed, in the context of its participation in international fora. However the risk remains that when seeking comprehensive trade agreements with other strategic partners, there might be demands for the UK to relax our current data protection standards, leading to the unenviable situation where we have to choose one trading relationship over another."
Wynn said that a further risk to the UK's data adequacy status in future could emerge through the courts. She said there has been significant debate as to whether surveillance powers enjoyed by UK authorities under legislation such as the Investigatory Powers Act undermine data protection standards. She said the Court of Justice of the EU (CJEU) has already scrutinised the Commission's decisions on data transfer mechanisms following high-profile legal challenges concerning EU-US data transfers in particular, where the powers of surveillance of US authorities and countering privacy safeguards were considered – its judgment in the so-called 'Schrems II' case last year being the latest example.
"The UK is certainly not immune from the risk that this adequacy decision could be called into question by privacy campaigners and ultimately challenged in the CJEU," Wynn said.
EU data protection law puts restrictions on the transfer of personal data outside of the European Economic Area (EEA). One way in which organisations can transfer personal data outside of this trading bloc is where they do so to a 'third' country that benefits from a so-called 'adequacy decision' of the European Commission. Following Brexit, the UK is a third country to the EU.
Countries that benefit from an adequacy decision are considered to have laws essentially equivalent to those that safeguard personal data inside the EEA. Where an adequacy decision has been issued, data transfers between the EU and those third countries are said to be compliant with EU data protection laws. For example, Canada, Switzerland and New Zealand are among the countries that benefit from a Commission adequacy decision.
In respect of EU-UK data transfers, at the moment a temporary solution is in place. The EU-UK Trade and Cooperation Agreement provides for a transitional period from 1 January permitting the continued transfer of personal data from the EU to the UK. This interim period expires on 30 June. For data transfers from the UK to the EU, the UK government had already confirmed these are authorised to continue until at least 2024.
In a statement, the UK government welcomed the European Commission's draft decisions. It said: "Seamless international data flows are essential in a hyper-connected world. They underpin the exchange of information and ideas supporting trade, innovation and investment, assist with law enforcement agencies tackling crime, and support the delivery of critical public services sharing personal data as well as facilitating health and scientific research."
"Technical confirmation of the draft adequacy decisions will help make sure UK businesses and organisations in everything from logistics to legal services, healthcare to human resources, can continue to receive personal data from the EU and EEA without additional compliance costs. This ensures they will avoid potential knock-on effects for consumers and boost UK start-ups and smaller firms which operate in EU markets and sell to EU customers," it said.
The Commission's draft decisions were also welcomed by business groups. Julian David, chief executive of industry association techUK, said: "Today's decisions are warmly welcomed by the tech sector which has been making clear the importance of a mutual data adequacy agreement since the day after the referendum. Receiving data adequacy, alongside the EU-UK Trade and Cooperation Agreement, will set a solid foundation for digital trade with the EU, including strong non-discrimination clauses and positive data flows provisions, that will give businesses the confidence to invest. As we go forward, the UK must also complete the development of its own international data transfer regime, allowing UK companies not just to exchange data with the EU, but also to be able to access global opportunities."
Before going forward for approval by a committee composed of representatives of the EU member states, the Commission's draft adequacy decisions will be scrutinised by data protection authorities from across the trading bloc through the European Data Protection Board (EDPB). However, the opinion of the EDPB in respect of data adequacy decisions is not binding on the Commission.
11 Aug 2020
10 Feb 2021