The end is in sight – and the UK might be adequate!
On 31st December 2020, the Brexit transition period ended. From 1st January 2021, the UK became a third country for the purposes of the EU GDPR.
The Brexit Agreement essentially gave the UK and EU six months to try and reach a long-lasting agreement. It said that;
- The UK would not be regarded as a third country until 1st May 2021: personal data could continue to flow between the EU and UK, and
- During this period, the EU would consider granting the UK an adequacy decision.
This would essentially mean the flows of data between the EU and UK could continue as now; the EU would regard the UK as a country with “adequate” data protection laws.
Six months might not seem a long time to assess the UK and reach a decision. But given that EU law has shaped the UK’s data protection laws for decades (rather than the normal process, whereby the EU uses the adequacy assessment to try and bring a country’s law and data protection regime into line with the GDPR) it seemed possible.
An announcement within 2 months
And so it was! The EU announced on 19th February that a draft adequacy decision had been presented to the European Data Protection Board (EDPB) for consideration.
It is widely hoped that the EDPB will give the green light; EDPB approval will mean that the adequacy decision can then be presented to EU Member States. If there is approval at this final stage, the UK will have its adequacy decision.
This would remove the need for EU organisations transferring data to the UK to scramble and search for alternative safeguards, like Standard Contractual Clauses. They can simply continue as before.
What about flows the other way (from the UK to EU)?
Personal data can continue to flow from the UK to the EU and countries where the UK has said the country has achieved UK “adequacy regulations” (i.e. the UK’s version of “adequacy decisions” which are currently one in the same thing). At the present time, the UK simply adopted all the EU adequacy decisions in place as of 31st December (i.e. the UK mirrors the EU regime).
What about the future?
It remains to be seen what happens if the UK starts to break away from EU precedent. The upcoming update to the ePrivacy rules may soon provide a test: the Brexit Agreement commits both the UK and EU to upholding “high standards of data protection” but in theory, the UK will not have to adopt the ePrivacy rules. Will the UK want to maintain parity with its European counterparts or come up with its own “dynamic” update of ePrivacy rules?
Both sides have confirmed that they will keep adequacy decisions/regulations “under review”. But for the immediate future, we may be close to a period of stability. We’ll keep you updated!
Protecture has been advising a number of clients on their obligations under the EU and UK GDPR post-Brexit, both in terms of their obligations in respect of personal data transfers and their duty to appoint an EU representative. Get in touch now for advice and support on these complex issues.