In a draft adequacy decision, reported to have been seen by the Financial Times (FT), the European Commission (the “Commission”) is set to allow the continued free flow of data between the EU and UK, after confirming that the UK offers an adequate level of protection for personal data, pursuant to Article 45 of the General Data Protection Regulation (the “GDPR”). According to the FT, the draft decision can be expected this week.
The decision, once adopted, will replace the current interim solution, agreed under the EU-UK Trade and Cooperation Agreement, which allows for companies and organisations to transfer personal data from the EU to the UK up until 30 June 2021. For more information on the interim solution please see our previous update “Brexit Updated: Interim Deal Reached on EU-UK Data Transfers”.
The decision will be welcomed by businesses, particularly those that regularly transfer customer personal data from the European Economic Area (“EEA”) to the UK e.g. those that operate within insurance, health, technology and financial sectors. According to the FT, and in line with the GDPR, the adequacy finding will be re-examined every four years to ensure the UK rules continue to offer the adequate level of protection required by Article 45(3).
Whilst the decision was anticipated, there remained significant uncertainties for businesses, who were advised by the Information Commissioner’s Office (the “ICO”) to take sensible precautions, putting in place alternative data transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data. Such a mechanism is likely to have involved the adoption of standard contractual clauses (“SCCs”), which allow for the lawful and secure transfer of personal data from within the EEA to countries outside the EEA (“third countries”), provided that an accompanying “Schrems II” data transfer assessment permits so. This would have come with significant legal and administrative costs for businesses. Furthermore, and in light of the Commission’s new draft SCCs, any existing contracts would need to be updated to reflect the new clauses within one year from adoption by the Commission. You can read further on the draft SCCs in our blog post.
Under Article 70(1)(s) of the GDPR, the European Data Protection Board (the “EDPB”), either on its own initiative or at the request of the Commission, must provide an opinion for the assessment of the adequacy of the level of protection. Whilst the EDPB opinion is not binding upon the Commission, it is likely to take it into account in fine-tuning the adequacy finding. In addition, for the Commission’s adequacy decision to become final, a committee of representatives of EU Member States must first issue a positive decision. In the event that the EDPB fully opposed the adequacy finding, which we consider unlikely, it remains unclear as to whether the Commission would refrain from presenting the draft for approval before the Member States.
Our team will closely follow updates from the Commission and provide further information once the draft adequacy decision is formally approved by the Commission. In the meantime, please get in touch with your usual SPB contact or any member of our Data Privacy and Cybersecurity team for further assistance on data protection requirements.