The EU Commission is set to grant the UK with an adequacy decision, meaning the free flow of data between the two parties can continue beyond the agreed interim period set to expire on the 30th June 2021.
Looking back even just a few months, to October 2020, an agreement on data adequacy seemed an all but distant reality. With uncertainty as to whether a deal would even be reached, an EU court threw an extra spanner in the works two months before the Brexit transition period was set to end, deeming the mass retention and collection of data by the UK security and intelligence services illegal under EU law. This meant that the likelihood of the UK becoming a ‘third country’ was a real threat. Practically this meant businesses would have to introduce complex and costly legal mechanisms to facilitate the movement of data, usually in the form of Standard Contractual Clauses (SCCs), at very short notice.
In our last article we explored the EU ruling in detail and highlighted how a number of potential scenarios could have impacted UK/EU businesses.
Developments to UK-EU data relations
As we predicted, a temporary adequacy solution was introduced as part of the UK Trade and Cooperation Agreement, on the 24th December 2020, allowing the free movement of data from the EU to the UK to continue for an interim period of 6 months, whilst negotiations continued and a formal decision could be made. For data transfers from the UK to the European Economic Area (EEA), the government has already positioned themselves to authorize adequacy on a transitional basis until 2024, which includes the retention of the EU SCCs as a transfer mechanism.
On 19th February 2021 the European Commission set in motion the process of formal adequacy adoption by publishing two draft adequacy decisions, one under the General Data Protection Regulation (GDPR) and another under the Law Enforcement Directive (LED); the latter of which details how criminal justice organisations can process and transfer personal data for law enforcement purposes. The EU announcement concluded that the UK ensures an equivalent level of protection to the EU for personal data on both counts.
Before the decision can be formally adopted, each draft will be scrutinised by the European Data Protection Board (EDPA), although their opinion is non-binding and as such, they do not carry the power to block the decision. The proposals must then be put forward to a committee composed of representatives of the EU member states for final approval. Whilst unclear how long this process will take, the adequacy decision granted to Japan in January 2019 took approximately four months meaning a verdict should be announced before the end of the 6 month ‘bridging period’ due to expire on the 30th June 2021. consider
While the GDPR and LED drafts both aim to deliver the same EU equivalence standards, the underlying rules for protecting personal data for each differ, meaning the formal adoption of one adequacy decision does not automate the approval of the other. Bearing this in mind, there is particular concern around whether certain UK practices within the intelligence services and criminal justice sector could jeopardize the ability to secure adequacy for the LED directive.
Given the recent move by the Court of Justice of the EU (CJEU) to invalidate an EU Commission decision that adopted the EU-US Privacy Shield in July 2020, in addition to existing concerns raised by the EU regarding the UK’s collection of data by its intelligence services, there is a real risk the CJEU could undermine the ability to secure LED adequacy. Whether they do this however is dependent upon privacy activists deciding to litigate any issues.
Longer term adequacy – Don’t rock the boat
Once adequacy is granted, this will allow data to flow back and forth between the UK and EU bloc for a period of four years, at which point it is then reviewed again. Whilst this review period is longer than other decisions, such as Japan’s of two years, the EU have strict mechanisms to monitor and review, suspend or withdraw the agreement once adequacy is established. As such, the UK must adapt to combat emerging risks to personal data from changing social and technological trends to ensure continued alignment and compliance with its neighbors.
With this in mind, even as recently as this week we have seen Axel Voss, one of the founding fathers of GDPR, question the effectiveness of the policy citing that the rapid social shifts to working from home and advancements in technologies such as blockchain, facial and voice recognition and AI as reasons to suggest that GDPR is already out of date.
Another area for the UK to tread with caution is surrounding trade. As post-Brexit Britain looks to develop comprehensive trade agreements with other nations or economic blocs, there is the risk of demands on the UK to relax its data protection standards, which may lead to the decision of having to choose one trading relationship over the other.
The UK government has already announced it would apply to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), which include countries such as Australia, Canada, Japan, New Zealand, Chile, where member nations agree not to impose restrictions on cross-border data flows, inclusive of personal data. Given the EU has not been willing to make these commitments in its trade agreements, due to concerns around GDPR standards not being met, there is a clear risk of incompatibility that the UK needs to be conscious of. When you consider that UK exports to CPTPP nations is currently only 5%, compared with 43% for the EU, as well as the geographical proximity and historical relationship the UK has with the European bloc, it’s unlikely that the UK will sacrifice its arrangement with the EU in favor of another trading agreement.
Interestingly, the UK looks to be positioning itself in a similar way to Japan whereby it would benefit from lower standards of data protection in deals such as CPTPP, whilst simultaneously holding a GDPR adequacy decision with the EU; also referred to as having your cake and eating it. If global commerce growth begins to move away from commodities and more towards digital/data trade this would position the UK as a digital port for data transactions between nations and trading blocs.
The practicalities of how this would be implemented however are still very much unclear. In-depth analysis will be essential in understanding the best mechanism to navigate potentially contradictory regulation structures, whilst balancing the implications of moving away from an EU approach.
Clearly the latest adequacy announcement from Brussels can be considered a unanimous step in the right direction for both UK and EU businesses. Whilst adequacy is not yet guaranteed, there are only a couple more hurdles left to clear; the outcomes of which should become evident over the coming weeks and the benefits of which should last many years. It is important to keep in mind however, that the UK’s use of personal data must continue to meet EU standards, despite the challenges and temptations we expect to see over the coming years. An area where we predict to see a particularly large shift is in AI, given the Inception Impact Assessment (IIA) the EU published in July 2020 which is, in essence, a precursor to AI regulation that centers on ethical principles and data protection.
For any advice on how the topics discussed in this article could impact your business, please get in touch and we would be happy to set up a complimentary tailored session.