Shorter Reads

UK data protection standards to be deemed adequate by the EU

The EU agrees that British data protection standards are sufficient to receive an adequacy decision before the end of the month.

1 minute read

Published 22 June 2021

Share

Key information

There is only a fortnight to go before the expiry of the current grace period that allows personal data to continue to flow between the UK and the EEA as it did before the end of the Brexit transition period. However, EU member states have now agreed that British data protection standards are sufficiently high for the UK to receive an adequacy decision in time to enable these data flows to continue after the end of the month.

This news will be a relief to businesses and other organisations around the world, which otherwise would have had to embark on an expensive, time-consuming, and burdensome recalibration of their cross-border data flows. It had been estimated that the British economy could have lost up to £85 billion had no adequacy decision been granted. Despite the current alignment between the UK and the EU with regard to data protection, the approval of EU member states had not been a foregone conclusion: in February, for example, the European Parliament’s LIBE Committee issued a non-binding opinion that the UK should not be granted an adequacy decision due to national security concerns.

The backing of the member states for the UK to receive an adequacy decision, however, means that the European Commission will shortly adopt two adequacy decisions to allow continued data flows between the UK and the EEA. Effectively, the UK will join a select list of non-EEA ‘third countries’ to which EU-regulated personal data can continue to flow without further restrictions. Other countries on this list include (among others) Argentina, Israel, New Zealand, Switzerland, and Japan. In a reciprocal move, the UK has also confirmed that personal data can also continue to be transferred to the EEA as previously.

Data controllers and processors should be aware, however, that the position is not quite the same as it had been when the UK was an EU member state. Adequacy decisions are not permanent and have to be renewed every four years. Any renewal of the UK’s adequacy status in 2025 will depend on whether the UK’s data protection regime aligns with the EU’s, which is by no means certain given the enthusiasm from some quarters of the UK government to diverge from the EU position in the near future. In particular, the adequacy of the UK is partially based on Britain’s adherence to the European Convention of Human Rights and its submission to the jurisdiction of the European Court of Human Rights. If, as some ministers have suggested, the UK’s human rights regime is altered in such a way as not to be consistent with these, then there remains a risk that the UK will lose this newly gained adequacy status.

Moreover, irrespective of the adequacy decision, the UK’s withdrawal from the EU has also entailed additional challenges for business in respect of data protection: for example, UK businesses that have EEA-based customers must now appoint an EU data protection representative, while companies established in the EU must similarly appoint a UK representative if they process the personal data of individuals resident in the UK.

For now, though, the approval of EU member states of the adequacy of the UK’s data protection regime is welcome, particularly at a time when data transfers are instrumental in facilitating research in the fight against COVID-19.

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Shorter Reads

UK data protection standards to be deemed adequate by the EU

The EU agrees that British data protection standards are sufficient to receive an adequacy decision before the end of the month.

Published 22 June 2021

Associated sectors / services

  • Data Protection

There is only a fortnight to go before the expiry of the current grace period that allows personal data to continue to flow between the UK and the EEA as it did before the end of the Brexit transition period. However, EU member states have now agreed that British data protection standards are sufficiently high for the UK to receive an adequacy decision in time to enable these data flows to continue after the end of the month.

This news will be a relief to businesses and other organisations around the world, which otherwise would have had to embark on an expensive, time-consuming, and burdensome recalibration of their cross-border data flows. It had been estimated that the British economy could have lost up to £85 billion had no adequacy decision been granted. Despite the current alignment between the UK and the EU with regard to data protection, the approval of EU member states had not been a foregone conclusion: in February, for example, the European Parliament’s LIBE Committee issued a non-binding opinion that the UK should not be granted an adequacy decision due to national security concerns.

The backing of the member states for the UK to receive an adequacy decision, however, means that the European Commission will shortly adopt two adequacy decisions to allow continued data flows between the UK and the EEA. Effectively, the UK will join a select list of non-EEA ‘third countries’ to which EU-regulated personal data can continue to flow without further restrictions. Other countries on this list include (among others) Argentina, Israel, New Zealand, Switzerland, and Japan. In a reciprocal move, the UK has also confirmed that personal data can also continue to be transferred to the EEA as previously.

Data controllers and processors should be aware, however, that the position is not quite the same as it had been when the UK was an EU member state. Adequacy decisions are not permanent and have to be renewed every four years. Any renewal of the UK’s adequacy status in 2025 will depend on whether the UK’s data protection regime aligns with the EU’s, which is by no means certain given the enthusiasm from some quarters of the UK government to diverge from the EU position in the near future. In particular, the adequacy of the UK is partially based on Britain’s adherence to the European Convention of Human Rights and its submission to the jurisdiction of the European Court of Human Rights. If, as some ministers have suggested, the UK’s human rights regime is altered in such a way as not to be consistent with these, then there remains a risk that the UK will lose this newly gained adequacy status.

Moreover, irrespective of the adequacy decision, the UK’s withdrawal from the EU has also entailed additional challenges for business in respect of data protection: for example, UK businesses that have EEA-based customers must now appoint an EU data protection representative, while companies established in the EU must similarly appoint a UK representative if they process the personal data of individuals resident in the UK.

For now, though, the approval of EU member states of the adequacy of the UK’s data protection regime is welcome, particularly at a time when data transfers are instrumental in facilitating research in the fight against COVID-19.

Associated sectors / services

  • Data Protection

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):



    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up

    Find out about Business

    Find out about Dispute Resolution

    Find out about Individuals & Families

    Find out about Real Estate

    We are Collyer Bristow - The law firm for those that
    value individuality, creativity and collaboration.

    Legal & Pricing info Regulatory InformationAccessibilitySitemapPricing and service information

    Listen to our latest podcast: No notice, no claim? (Drax v Scottish Power)

    Read our latest article: Election 2024: Domicile, Inheritance Tax, and change promised by the new Labour government

    Watch our latest video: What is a nuptial agreement? A full guide to everything you need to know about pre and post nups

    Read our latest article: Election 2024: Initial comments on potential tax changes

    Read our latest article: Labour wins UK general election: What changes are coming for employers?

    ExpandNeed some help?Toggle

    < Back to menu

    I have an issue and need your help

    Scroll to see our A-Z list of expertise

    Get in touch

    Get in touch using our form below.



      Business Close
      Private Wealth Close
      Hot Topics Close