The EU has recognised the UK’s data protection standards, post-Brexit. The EU has agreed that they conform with the protections offered inside the single market. As a result, personal data can continue to flow freely between Europe and the UK after the European Union chose to adopt data adequacy decisions on the issue.
The announcement by the European Commission means UK businesses and organisations can continue to receive personal data from the EU and wider European Economic Area without having to put additional data security measures in place. It recognises the UK can match the protections offered under the EU’s General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED).
The Commission has today adopted two adequacy decisions for the United Kingdom. One under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. The adequacy decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information, for example for cooperation on judicial matters. Both adequacy decisions include strong safeguards in case of future divergence such as a ‘sunset clause’, which limits the duration of adequacy to four years.
Protecting personal data
Věra Jourová, Vice-President for Values and Transparency, said: “The UK has left the EU. But its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions. We have listened very carefully to the concerns of the European Parliament, Members States and the European Data Protection Board. In particular on the possibility of future divergence from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene”.
Digital Secretary Oliver Dowden said it is “right” that the EU has “formally recognised the UK’s data protection standards after more than a year of talks.
“This will be welcome news to businesses. It supports continued co-operation between the UK and the EU, and help law enforcement authorities keep people safe,” he said.
“We will now focus on unlocking the power of data to drive innovation and boost the economy. While making sure we protect people’s safety and privacy,” Dowden added.
CBI director of policy John Foster said the decision will be welcomed by businesses across the UK. “The free flow of data is the bedrock of the modern economy and essential for firms across all sectors. From automotive to logistics, playing an important role in everyday trade of goods and services.
“This positive step will help us move forward as we develop a new trading relationship with the EU.”
Enterprise Times: What this means for business?
The EU has decided that the UK will continue to be seen as a safe country for the purposes of personal data flows from the EU. The news will be greeted with much relief by businesses. It would otherwise face having to consider costly alternative measures to continue those data flows.
However, the European Commission will continue to monitor the UK’s data-related laws and practice. If it feels there is notable divergence from the EU model, it has the power to cancel the agreement. According to Jon Baines, Senior Data Protection Specialist, at Mishcon de Reya, “There will also certainly be some people watching closely from the sidelines. Such as those in the civil society sector, who may bring challenges to the legality of the decision itself. Or of data transfers made under the decision.”