05 Mar Optimism for Data Reciprocity between the EU and UK
Amongst continued uncertainty surrounding the effects of Brexit, some clarity regarding the issue of flow of data between the European Union (EU) and the United Kingdom (UK) has been achieved. The safe exchange of data between the EU and the UK is imperative for continued economic prosperity, the proper functioning of businesses and law enforcement. Certainty regarding the use, transmission and storage of data ensures the safety of the individuals and entities who use and own it.
As a member of the EU, data transfer between the UK and other member states was regulated by the General Data Protection Regulations (GDPR). The UK’s exit from the EU meant that the transmission of data between the entities was no longer assured and organisations required clarification as to how such data should be processed.
Although the UK elected to allow personal data from the UK to continue to be transferred freely to the EU, thereby accepting the protections offered by the EU’s GDPR, it was unclear whether the EU member states and relevant decision-making bodies would allow the UK to do the same.
The Trade and Cooperation Agreement, agreed in December 2020, between the UK and the EU allows for a grace period of six months, to expire in June 2021, in which data could continue to be exchanged, while a decision was made by the European Commission and European Data Protection Board regarding the transfer of personal data to the UK. In order for the free flow of data between the EU and the UK to continue, the European Commission was tasked with deciding whether UK data protection law was stringent enough to allow for continued data sharing.
Although the UK’s data protection laws were amended in 2018 to align with and incorporate the EU General Data Protection Regulations, it was unclear whether EU entities would take exception to the domestic laws surrounding surveillance in the UK and the impact this would have on the decision, future opinions and approval.
On 19 February 2021, the European Commission published its draft adequacy decision which held that UK data protection laws are sufficiently rigorous to allow continued secure exchange of information between the UK and EU nations. All that now remains is for the European Data Protection Board (EDPB) to provide its opinion regarding the decision and pending final approval by the goverments of EU member states, the decision can then be adopted. The EDPB plans to present its opinion by mid-April 2021.
The UK’s Information Commissioners Office released a statement confirming that the “announcement gets us a step closer to having a clear picture for organisations processing personal data from the EU”. Although not final, being a stage closer to concluding issues such as these, is a step in the right direction.