On 19 February 2021, the European Commission (EC) published the first draft of its adequacy decision in relation to the UK. If this is approved it will permit personal data to be sent from the EEA to the UK without any additional safeguards.
This is important since the Brexit deal in the UK-EU Trade and Cooperation Agreement only permits personal data to be sent to the UK from the EEA until 30 June 2021 without additional safeguards. In view of the fact that the data flows between the UK and the EEA were estimated to exceed 400 billion Euros in 2020 this is good news for businesses and the ICO has described the draft as “an important milestone”.
Even though it is a positive move forward, there are some things which businesses should bear in mind. First, it is not a “done deal”. The decision is currently in draft and we are at a stage where we await the European Data Protection Board’s non-binding opinion on the draft before the decision goes out to EU Member States for approval.
Secondly, the adequacy decision has been limited to a 4 year term after which the decision will need to be renewed or it will no longer have effect. This is unusual and differs from existing adequacy decisions which are not time limited. Although each country with a finding of adequacy is monitored and kept under a level of review to ensure that privacy standards are maintained, the UK will be subject to additional jeopardy as unless renewed its adequacy decision will fall away in four years’ time. Businesses should therefore keep things under review.
Finally, the finding of adequacy may well be subject to challenge even in the initial four year period. The draft decision is already under scrutiny by privacy activist, Max Schrems who has said that he will “take a look” and that UK Government surveillance requires analysis. It remains to be seen how this will play out, but it is one to monitor.
Whilst this is undoubtedly a positive move and will give clarity to UK businesses that rely on personal data being sent to the UK from the EEA it doesn’t mean that businesses can ignore the issue going forward. The time limited nature of the decision will mean that businesses will have the potential refusal to renew hanging over their heads together with any potential action taken by privacy campaigners.