The U.K.'s digital businesses can breathe a sigh of relief today as the European Commission has officially signed off on data adequacy for the (now) third country, post-Brexit.
It's a big deal for U.K. businesses, as it means the country will be treated by Brussels as having essentially equivalent data protection rules as markets within the bloc, despite no longer being a member itself -- enabling personal data to continue to flow freely from the EU to the U.K. and avoiding any new legal barriers.
The granting of adequacy status has been all but assured in recent weeks, after European Union Member States signed off on a draft adequacy arrangement. But the Commission's adoption of the decision marks the final step in the process -- at least for now.
It's notable that the Commission's PR includes a clear warning that if the U.K. seeks to weaken protections afforded to people's data under the current regime it "will intervene".
In a statement, Věra Jourová, Commission VP for values and transparency, said:
The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today. At the same time, we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK's privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.
The U.K. adequacy decision comes with a Sword of Damocles baked in: A sunset clause of four years. It's a first -- so, er, congratulations to the U.K. government for projecting a perception of itself as untrustworthy over the short run.
This clause means the U.K.'s regime will face full scrutiny again in 2025, with no automatic continuation if its standards are deemed to have slipped (as many fear they will).
The Commission also emphasizes that its decision does not mean the U.K. has four 'guaranteed' years in the clear. On the contrary, it says it will "continue to monitor the legal situation in the U.K. and could intervene at any point if the U.K. deviates from the level of protection currently in place".
Third countries without an adequacy agreement -- such as the U.S., which has adequacy twice struck down by Europe's top court (after it found U.S. surveillance law incompatible with EU fundamental rights) -- do not enjoy 'seamless' legal certainty around personal data flows, and must instead take steps to assess each of these transfers individually to determine whether (and how) they can move data legally.
Last week, the European Data Protection Board (EDPB) put out its final bit of guidance for third countries wanting to transfer personal data outside the bloc. And the advice makes it clear that some types of transfers are unlikely to be possible.
For other types of transfers, the advice discusses a number of supplementary measures (including technical steps like robust encryption) that may be possible for a data controller to use in order to, through their own technical, contractual and organizational effort, ramp up the level of protection to achieve the required standard.
It is, in short, a lot of work. And without today's adequacy decision, U.K. businesses would have had to get intimately acquainted with the EDPB's guidance. For now, though, they've dodged that bullet.
The qualifier is still very necessary, though, because the U.K. government has signaled that it intends to rethink data protection.
How exactly it goes about that -- and to what extent it changes the current 'essentially equivalent' regime -- may make all the difference. For example, Digital minister Oliver Dowden has talked about data being "a great opportunity" for the U.K., post-Brexit.
And writing in the FT back in February he suggested there will be room for the U.K. to rewrite its national data protection rules without diverging so much that it puts adequacy at risk.
"We fully intend to maintain those world-class standards. But to do so, we do not need to copy and paste the EU’s rule book, the General Data Protection Regulation, word-for-word," he suggested then, adding that: "Countries as diverse as Israel and Uruguay have successfully secured adequacy with Brussels despite having their own data regimes. Not all of those were identical to GDPR, but equal doesn’t have to mean the same. The EU doesn’t hold the monopoly on data protection."
The devil will, as they say, be in the detail. But some early signals are concerning -- and the U.K.'s startup ecosystem would be well advised to take an active role in impressing upon government the importance to stay aligned with European data standards.
Moreover, there's also the prospect of a legal challenge to the adequacy decision -- even as is, i.e. based on current U.K. standards (which find plenty of critics). Certainly it can't be ruled out -- and the CJEU hasn't shied away from quashing other adequacy arrangements it judged to be invalid...
Today, though, the Department for Digital, Media, Culture and Sport (DCMS) has seized the chance to celebrate a PR win, writing that the Commission's decision "rightly recognises the country’s high data protection standards".
The department also reiterated the U.K. government's intention to "promote the free flow of personal data globally and across borders", including through what it bills as "ambitious new trade deals and through new data adequacy agreements with some of the fastest growing economies" -- simultaneously claiming it would do so "while ensuring people’s data continues to be protected to a high standard". Pinky promise.
"All future decisions will be based on what maximises innovation and keeps up with evolving tech," the DCMS added in a press release. "As such, the government’s approach will seek to minimise burdens on organisations seeking to use data to tackle some of the most pressing global issues, including climate change and the prevention of disease."
In a statement, Dowden also made a point of combining both streams, saying: "We will now focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people’s safety and privacy."
UK business and tech associations were just as quick to welcome the Commission's adequacy decision. The alternative would, of course, have been very costly disruption.
In a statement, John Foster, director of policy for the Confederation of British Industry, said: “This breakthrough in the EU-UK adequacy decision will be welcomed by businesses across the country. The free flow of data is the bedrock of the modern economy and essential for firms across all sectors– from automotive to logistics -- playing an important role in everyday trade of goods and services. This positive step will help us move forward as we develop a new trading relationship with the EU.”
In another supporting statement, Julian David, CEO of techUK, added: “Securing an EU-UK adequacy decision has been a top priority for techUK and the wider tech industry since the day after the 2016 referendum. The decision that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards and is of vital importance to UK-EU trade as the free flow of data is essential to all business sectors.
“The data adequacy decision also provides a basis for the UK and EU to work together on global routes for the free flow of data with trust, building on the G7 Digital and Technology declaration and possibly unlocking €2TR of growth. The UK must also now move to complete the development of its own international data transfer regime in order to allow companies in the UK not just to exchange data with the EU but also to be able to access opportunities across the world.”
The Commission has actually adopted two U.K. adequacy decisions today -- one under the General Data Protection Regulation (GDPR) and another for the Law Enforcement Directive.
Discussing key elements in its decision to grant the U.K. adequacy, EU lawmakers highlighted the fact the U.K.'s (current) system is based upon transposed European rules; that access to personal data by public authorities in the U.K. (such as for national security reasons) is done under a framework that has what it dubbed as "strong safeguards" (such as intercepts being subject to prior authorisation by an independent judicial body; measures needing to be necessary and proportionate; and redress mechanisms for those who believe they are subject to unlawful surveillance).
The Commission also noted that the U.K. is subject to the jurisdiction of the European Court of Human Rights; must adhere to the European Convention of Human Rights; and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data -- aka "the only binding international treaty in the area of data protection".
"These international commitments are an essential element of the legal framework assessed in the two adequacy decisions," the Commission notes.
Data transfers for the purposes of U.K. immigration control have been excluded from the scope of the adequacy decision adopted under the GDPR -- with the Commission saying that's "in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area".
"The Commission will reassess the need for this exclusion once the situation has been remedied under UK law," it added.
So, again, there's another caveat right there.