It is by now a well-reported fact that whilst the UK may have officially exited the EU on 31 January 2020, the hard work to resolve the future relationship between the UK and the EU is far from over. The “transition period” is currently set to run until the end of 31 December 2020, by which point the future relationship will need to be in place. The UK Government has, through several speeches, set out its intentions for the next phase of negotiations, and on 12 February 2020 The European Parliament (the EP) adopted a resolution which quite firmly draws the EU’s own battle lines.
One particular section of this resolution that could be of significant concern to many data-rich industries operating across Europe – such as those in the digital and tech sectors – is the position on data protection. In short, the EP does not currently consider the UK to be adequate. But why might this be a problem?
The concept of “adequacy” is an important one under European data protection legislation, and it is used to determine the level of regulation when personal data flows between EEA countries and what are known as “third countries”. Third countries are simply countries that are not within the EEA. In order to have the most seamless regulatory and legal oversight when it comes to international data processing, a third country must have received the benefit of a data adequacy decision from the European Commission, which means that personal data can flow from the EEA to that third country without any further safeguards in place. Without an adequacy decision, extra measures are needed for businesses to comply with the law.
Whilst the transition period is in place, the UK keeps the benefit of being deemed adequate for the purposes of data protection as if it were still a member of the EU. However, once the transition period ends, the UK will need an adequacy decision in place if UK businesses are to avoid having to implement a raft of additional measures and contractual amendments when dealing with European personal data.
The European Commission does not bestow these decisions lightly; to date, it has only recognised 13 other countries as providing adequate protection – and in some of these cases that scope is still narrowly limited. The EP’s resolution of 12 February implies that unless changes are made to UK law, it seems that the UK is not set to become the 14th country any time soon. This is because the EP views several exemptions under the Data Protection Act 2018 as being contrary to the principles of the GDPR, and it is also concerned about UK legislation which grants mass surveillance powers to law enforcement organisations.
Until further developments emerge, it may well be that this most recent statement from the EP is simply a sabre-rattling negotiating tactic designed to ensure better terms from the UK Government in any future trade deal. However, UK businesses which process personal data from the EEA might think it wise to start preparing early for the possibility that the UK does not receive a data adequacy decision in time for 1 January 2021. A good way to begin these preparations would be by reviewing and amending any affected contracts to include suitable safeguards, as well as generally updating internal data processing practices.
If you would like further information relating to the points raised in this article, or assistance from Lupton Fawcett with meeting your data processing obligations, please contact David Baines or any of our data team members.
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.