June 2021 EU Data Protection ‘Adequacy’ Ruling – as EU tells the UK “we sort of trust you…”
EU citizens have this week been given some assurance that their personal data will be protected when it is transferred to the UK.
As post-Brexit relations between the EU and UK continue to find their footing, the European Commission has now formally recognised that UK data protection rules are “adequate.” This means that personal data can be transferred from the EU to the UK.
This comes as a relief to UK businesses, which will be able to continue operating as usual, exchanging data with EU-based companies as they did before Brexit.
The UK data protection journey has been a long and convoluted one, made all the more complex by Brexit.
Way back in January 2012 the European Commission set out plans for data protection reform across the EU to make Europe “fit for the digital age”. Almost four years later, agreement was reached on precisely what that meant. One of the key components of the reforms was the introduction of the General Data Protection Regulation (GDPR). GDPR is the legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the EU. A formidable text, it was, ultimately, adopted into UK law as the Data Protection Act 2018 and now, since Brexit, the UK GDPR. European Commission vice-president for Values and Transprency, Vera Jourová said this week:
“The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today. At the same time, we have listened very carefully to the concerns expressed by the parliament, the member states and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.“
These ‘safeguards’ come in the form of a four year ‘sunset clause’, which means the EU can revoke the adequacy ruling at any time if they feel it necessary. It is notable that this clause appears to be unique to the UK. An indication perhaps of some post-Brexit payback or mistrust?
And just as UK business seems to have got the hang of GDPR, the Prime Minister has established a taskforce on ‘Innovation, Growth and Regulatory Reform.’ Its aim is to identify how the UK can reshape regulation and seize new opportunities after Brexit. One ‘hot topic’ on their list is to scrap GDPR altogether – replacing it with our own UK laws on data protection. Just what businesses need after years of implementing GDPR!! Quite what this would mean for UK-EU relations remains to be seen.
Are you confident that your policies and procedures are fully compliant with current legislation? We have guided some of the largest and smallest businesses through the jungle of requirements to help them understand their obligations and sleep better at night. We also offer training, allowing you and your team to improve your understanding of the GDPR risks within your organisation and help mitigate them through improved awareness.
Don’t opt out of playing by the rules. Why not get in touch with us today so that we can make sure you always play fair.