Under the GDPR there are restrictions on the transfer of data from the EEA (all EU countries plus Iceland, Liechtenstein and Norway) to any third country unless “adequate” levels of data protection can be secured. If the country in question has not been given a finding of “adequacy” by the EU Commission (e.g., the United States), then such transfers are prohibited unless an appropriate safeguard applies (e.g., contracts including certain approved clauses are put in place between data exporter and data importer). One other route was the Privacy Shield scheme between the U.S. and the EU, which U.S. companies previously could sign up to; however, that was shot down recently following concerns.
Following the end of the Brexit transition period on December 31, 2020, in data protection terms the UK went from being treated as an EU member country to a third country. To avoid a “cliff edge” for data flows, the Brexit UK-EU trade deal (The Trade and Cooperation Agreement), which came into force January 1, 2021, provided for a further transition period for the first half of 2021 to allow uninterrupted data flows between the EU and the UK in the hope that would be enough time for an adequacy finding to be achieved for the UK.
Businesses were holding their breath hoping that such a finding would come in time. The good news is that it looks like that wish has been granted, although there is still a process to follow before formal adoption, including review by the European Data Protection Board (EDPB) and representatives of the EU Member States.
The internet and e-commerce platforms are, by their very nature, borderless, and UK businesses of all shapes and sizes did not want to see prohibitions (or the cost and complexity of having to put in place contractual arrangements to cover each data transfer) for handling data from the EU. Failing to grant adequacy would essentially create such problems come the summer. There is still the possibility that in four years’ time the EU can change its mind, but provided we see formal adoption shortly it will mean, for the time being at least, businesses can take some comfort.
In truth, it was difficult to see how the EU could have denied granting the UK adequacy. Although, recent UK/EU tensions did throw some doubt over this. It’s not so much that the UK had a “head start,” as the EU commission claimed, but that huge tracts of law are near enough identical. The GDPR, for instance, was subsumed into UK law.
If the UK had been denied adequacy, it would also have set an extremely high bar for any other countries seeking such a finding. (Japan recently achieved it; South Korea is hoping for the same.)
One further point to note is that the Commission actually came to two draft findings of adequacy. One under the General Data Protection Regulation (GDPR) and one under the Law Enforcement Directive (LED), the latter of which will permit data flows for law enforcement purposes.
However, amongst the encouraging news, it is worth noting that one of the reasons the U.S.-EU Privacy Shield came under scrutiny was a perception in the EU that companies were simply paying lip service when using it and self-certifying compliance, when in reality it was lacking in many cases. UK businesses and any international companies doing business via UK entities will, therefore, still need to guard against any complacency.
The EU Commission will be watching to ensure the UK is not providing adequate protections in name only and EU data regulators still have large fines at their disposal to use in enforcement against anyone doing so. Businesses should take action, therefore, to regularly review their business practices and policies to make sure they are up to GDPR requirements.