Businesses now have clarity on laws surrounding data transfers with EU countries following Brexit. Kirsty Davey, Partner and Head of Corporate and Commercial at Coodes Solicitors, welcomes the news.
Following the UK’s exit from the European Union one of many factors to consider was the position in relation to data protection laws. In particular, it was unclear whether the European Commission would deem that the UK had an adequate level of protection for personal data. This has implications for how businesses can share customer details or other personal information through data transfers.
The European Commission has now confirmed its position, providing welcome clarity for businesses.
The adequacy decision on data transfers
The UK Government has already recognised the EU and EEA member states as ‘adequate’ for the purposes of the transfer of personal data. This includes any personal data that organisations might need to send to one another, including names, contact details, medical information and data that relates to an individual.
However, for organisations operating in the UK, the potential “third country” status imposed by the EU would have substantial implications on data transfers between the EU and the UK in the form of additional safeguards.
In February 2021 the European Commission published a draft adequacy decision. The Commission carefully assessed the UK’s legal framework as part of the process to adopt the decision which would allow personal data to continue to be transferred from the EU to the UK. The considerations were so in depth that the decision even referenced laws such as the Magna Carta and the Bill of Rights.
Adopting the adequacy decision for the UK
On 28 June 2021 the European Commission adopted the adequacy decision for the UK. It stated that “As the UK GDPR is based on EU legislation, the data protection rules in the United Kingdom in many aspects closely mirror the corresponding rules applicable within the European Union”. This means the European Commission is satisfied that the UK laws on data protection, through the UK GDPR and Data Protection Act 2018, are robust enough and are essentially equivalent to that within the EU. The consequence of this decision is that, with immediate effect, personal data can now flow freely between the EU and the UK.
The adoption of the decision will come as a great relief to organisations and businesses operating in the UK. The Information Commissioner, Elizabeth Denham said: “Approved adequacy means that businesses can continue to receive data from the EU without having to make any changes to their data protection practices. Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently.”
The sunset clause
However, it is important to note that the adequacy decision includes a ‘sunset clause’ and will last until 2025. This means during the next four years, the European Commission will monitor the legal situation in the UK. The Commission could intervene at any time if the UK departs from the level of data protection currently in place. Following this period, adequacy findings may be reviewed and renewed if the UK continues to ensure the essentially equivalent level of data protection as the EU.
We will be monitoring the situation and can advise businesses on steps to take should the position change.
For more advice on this issue, please contact Kirsty Davey in the Corporate and Commercial team at Coodes Solicitors on 01326 214034 or firstname.lastname@example.org