General News

Brexit update - Adequacy

We've looked at the importance of an adequacy decision to allow the free-flow of data between the United Kingdom and Europe in our earlier articles on Brexit. Finally, although in reality quite quickly, we have a decision - with draft adequacy decisions from the European Commission.

If approved, this would mean that data can continue to flow uninterrupted following the ending of the bridging period which ends on June 30 2020.

Here's the important bit from the GDPR decision:

"The Commission has carefully analysed the law and practice of the United Kingdom. Based on the findings developed in recitals (7) to (264), the Commission concludes that the United Kingdom ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom."

Interestingly, there was another decision relating to data transfers under the Law Enforcement Directive regarding data for law enforcement. Of interest in both draft decisions, are that they will have looked at the UK's Investigatory Powers Act 2016 (which allows data collection for national security purposes). This was always going to be a hurdle, but it looks like it has passed - though the European Data Protection Board may look again.

It is likely that there is a balance in the operation and enforcement of the Information Commissioner's Office...which also likely means that as long as we seek to have adequacy, there will be a data protection regulator and similar standards to what we have now. In fact, the EU can monitor the progress of any divergence from EU data protection law and reverse the decision if any divergence is problematic.

Assuming at this stage the adequacy decision is upheld (the rapidness mentioned earlier suggests as much a political decision as anything), then we may see challenges in court, just as the data transfer mechanisms with the USA have been challenged in court and found to be unlawful. It may be a bumpy ride... The other issue is that with the fallout of Schrems II (the collapse of Privacy Shield) we are unlikely to see any unilateral mechanism for data transfers from the United Kingdom to the USA. So for the time being, we rely on the standard model classes that are being widely adopted.