In a welcome move, the European Commission has formally approved an adequacy decision for the UK on data protection. However, as we explain below, this may not be the end of the story as regards the post-Brexit treatment of EU personal data – and there is still unfinished business in a number of other important areas beyond data protection.
The data adequacy decision
The European Commission's decision means that the UK's data protection regime has been deemed sufficient to protect EU personal data. This is important because without such a decision, EU data controllers and processors would have had to put in place additional safeguarding mechanisms, which are likely to involve significant additional paperwork, especially in light of the EU's recently released new standard contractual clauses. The only reason they did not have to take these measures with effect from 1 January this year (when the Brexit transition period ended) was the inclusion of the so-called "data bridge" in the UK-EU Trade and Cooperation Agreement, which provided a 6 month "grace period" for businesses (and has enabled the European Commission to complete its assessment of the UK's data protection framework). However, there are several caveats:
- Ongoing monitoring: The European Commission has the power to suspend, repeal or amend the decision if it "has indications that an adequate level of protection is no longer ensured". Whilst this is standard language in decisions of this type, it comes against a background of calls on the UK Government to diverge from the EU on data protection (see for example, the recent report of the Taskforce on Innovation, Growth and Regulatory Reform). If implemented, such changes could prompt the Commission to reassess the UK's legislative framework (so an attempt to make compliance with data protection easier within the UK could, ironically, make it more difficult to deal with transfers of EU personal data from businesses in the EU).
- Sunset clause: The decision also contains a sunset clause, limiting its duration to 4 years after which time it will expire unless renewed (which will require a further review of UK laws and practices at that stage). This is the first time an adequacy decision has included such language and provides the EU with a further opportunity to reassess the UK's data protection landscape, including its onward transfer regime and the UK's approach to granting adequacy to third countries.