At the end of June data protection law advisers were weeping with joy: the EU formally adopted its draft adequacy decision allowing people in the EU to transfer data to the UK. The fear of customer data held by a processor being sent to a controller under the wrong Standard Contract Clauses disappeared into the air.
Until the decision was adopted, it was business-as-before-Brexit, but that was based on a specific transition arrangement. That arrangement was due to expire at the end of June.
An adequacy decision is a recognition by the EU that the UK offers “essentially equivalent” protection to personal data as the EU. The EU does not have concerns about its citizen’s personal data flowing between the two countries without any additional protections. But the decision only covers transfers between the UK and the EU. Transfers from the UK to other non-EU countries are governed by the Data Protection Act 2018.
This does not mean that you can transfer and process data at will. You must still comply with the Data Protection 2018.
Adequacy decisions are subject to review. In 2020, the EU revoked its approval of the EU-US Privacy Shield arrangement. It left those that had been relying on it to look for other ways to transfer their personal data with as little business interruption as possible.
Whilst we knew that any adequacy decision of the EU would be open to review and revocation, the EU has gone one step further. For the first time, it has included a sunset clause meaning that the approval will automatically come to an end in four years’ time. It could still be revoked before then.
If the adequacy decision is to be renewed after four years, the UK will need to show that it still offers essentially equivalent protection to personal data as the EU. This will be harder the more that the UK diverges from GDPR/the EU standard then in force. But for now, personal data can come to the UK.
If you would like further information on the topic discussed in this blog, please contact Lottie White by email: email@example.com or by phone: 0141 530 2038, Derek Hamill by email: firstname.lastname@example.org or by phone: 0141 530 2022 / 07973 924 333. You can also view Derek’s profile by clicking here.
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.