14 July 2021

Adequate at Last

By Faye Cheung, Researcher 

The EU Commission have approved adequacy decisions for the UK, concluding that UK data protection law gives adequate protection to personal data. This is fantastic news for UK organisations because it means that personal data can continue to flow freely from the European Economic Area (EEA) into the UK. The EU-UK Trade and Cooperation Agreement only allowed data to flow freely after the end of the Brexit transition period until 30 June 2021 so this announcement, which was made on 28^th June 2021, has been welcomed with a long awaited sigh of relief.

The UK joins the 12 other non-EU countries that have been granted adequacy status by the EU; Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.[1] The Information Commission Officer, Elizabeth Denham, says that this result is ‘a testament to the strength of the UK’s data protection regime’.[2]

However, unlike those other 12 countries, the UK’s adequacy decision includes a ‘sunset clause’, which limits the duration to 4 years only. This is the first time this limited duration has been imposed in an adequacy decision. It means that after 4 years the adequacy status will automatically expire. Adequacy decisions can be renewed after this time but only if UK law maintains EU standards of data protection. Furthermore, the UK will be monitored throughout this first four years and the EU Commission will intervene if the UK deviates from the current standard of data protection. This indicates that the EU Commission has taken a cautious approach towards the UK which might be a result of the Government’s National Data Strategy, that Oliver Dowden, Secretary of State for Digital, Culture Media and Sport describes as ‘driving a radical transformation’.[3] Under this strategy ‘data and data use are seen as opportunities to be embraced, rather than threats against which to be guarded.’[4] This might have left the EU Commission suspecting that there could be future changes to UK data protection law which might favour businesses rather than the privacy of individuals.

The work that organisations may have done to mitigate the risks of a negative adequacy decision, such as preparing standard contractual clauses and other safeguards, is still very valuable. However, in the meantime, UK organisations can rest assured that they will not face imminent disruption to data flow from the EU.

[1] https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

[2] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/06/ico-statement-in-response-to-the-eu-commission-s-announcement-on-the-approval-of-the-uk-s-adequacy/

[3] and [4] https://www.gov.uk/government/publications/uk-national-data-strategy/national-data-strategy

© Naomi Korn Associates, 2021. Some Rights Reserved. The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)

Disclaimer: The contents of this blog post are based on the assessment of Naomi Korn Associates Ltd at the time in which the resource was created (July 2021). The contents should not be considered legal advice. If such legal advice is required, the opinion of a suitably qualified legal professional should be sought.