The flow of personal data between the UK and EU can continue unchanged after the European Commission deemed Britain’s data protection standards as “adequate”.
The decision has been welcomed by UK businesses, who feared that failure to achieve data adequacy status would lead to costly alternative data-sharing arrangements.
It follows years of post-Brexit talks between London and Brussels after the UK’s EU exit meant it was a “third country”.
But the UK’s continued adoption of the General Data Protection Regulation (GDPR) – Europe’s landmark data laws introduced in 2018 – proved a crucial factor in earning its data adequacy arrangement.
The Commission also noted that public authorities in the UK provided “strong safeguards” for personal data.
However, the decision will be reviewed in four years’ time to check if the UK’s data protection standards remain in line with those of the EU. It is the first time the bloc has enforced a so-called “sunset clause” on a third country. Only 12 countries have positive data adequacy decisions from the EU, with the US twice being rejected by Europe’s top court for having incompatible surveillance laws.
“We are talking here about a fundamental right of EU citizens that we have a duty to protect,” said Věra Jourová, vice-president for values and transparency at the European Commission. “This is why we have significant safeguards and if anything changes on the UK side, we will intervene”.
The UK will also remain bound to the European Court of Human Rights when it comes to the automatic processing of personal data.
Secretary of State for Digital Oliver Dowden said: “After more than a year of constructive talks it is right the European Union has formally recognised the UK’s high data protection standards.
“This will be welcome news to businesses, support continued cooperation between the UK and the EU and help law enforcement authorities keep people safe.”
A draft adequacy decision was put forward in February and in recent weeks EU member states signed off on it, making the decision all but certain. It was formally signed off by the Commission on Monday.
UK business welcomes data adequacy decision
British businesses in sectors ranging from banking to advertising have welcomed the news that they will not need to alter the way they transfer personal data between the UK and EU. The UK government had previously estimated that failure to get a positive adequacy decision would have cost the UK economy up to £85bn per year due to the additional barriers.
“Given that data now underpins almost every function of businesses, obstructing data flows risked creating more costs, disruption and isolating growing companies from their customers,” said Russ Shaw, CBE, founder of Tech London Advocates and Global Tech Advocates. “Digital businesses in the UK can now breathe a sigh of relief that they can now continue to flourish and work fluidly with European partners to their mutual benefit.”
Chris Combemale, CEO of the Data & Marketing Association, said: “The UK can now progress new data legislation, such as the crucial National Data Strategy, knowing that a high-standards and innovation-focussed approach rests in harmony with the European perspective.”
Jon Baines, Senior Data Protection Specialist, at Mishcon de Reya, said businesses will greet the news with “relief”, but warned against assuming that “the story ends here”.
“The European Commission will continue to monitor the UK’s data-related laws and practice, and if it feels there is notable divergence from the EU model, it has the power to cancel the agreement,” he said. “There will also certainly be some people watching closely from the sidelines, such as those in the civil society sector, who may bring challenges to the legality of the decision itself, or of data transfers made under the decision.”
The UK’s data adequacy status may face challenges from a group of Conservative MPs who have formed the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) to investigate regulations that could be “reshaped” post-Brexit.
The pro-Brexit group has argued that Article 5 of GDPR prevents artificial intelligence (AI) companies from conducting large-scale data collection and reusing existing data for “novel purposes”.
Last week TIGRR published a 130-page report that received an endorsement from Prime Minister Boris Johnson.