Data protection update – EU decides UK data standards are provisionally adequate

The European Commission has now published two draft decisions on the “adequacy” of the UK’s data protection standards post-Brexit, which provisionally confirm that the UK’s data protection standards are adequate.

What changes to data protection law were there after the UK left the EU?

Post Brexit, it was understood that the UK data protection arrangements would largely mirror that of the EU’s. This was implemented by the so-called “UK GDPR”, which was introduced in January 2021 and which sits alongside the Data Protection Act 2018 as key data protection legislation. The introduction of these regulations effectively freezes the position in relation to data protection from December 2020, so that the U.K.’s data arrangements would theoretically be at the same level as the EU’s. However, despite this, from the EU’s perspective it did not necessarily follow that the UK’s data protection standards would be sufficient for the EU to consider them as “adequate”  and an assessment was still necessary.

Why does “adequacy” matter?

If a country’s standards of data protection are considered to be “adequate”, then the EU will permit the transfer of personal data to that country without any additional restrictions. Otherwise, the EU might consider imposing additional safeguards or mechanisms to facilitate the transfer.

The European commission’s draft adequacy decisions now confirm that, having carefully assessed the U.K.’s law and practice on data protection, the U.K.’s regulations are broadly equivalent to that of the EU’s. This will now begin the process for the adoption of these draft decisions, following which these will be valid for an initial period of four years. This will only be renewable in the event that the UK’s data protection scheme continues to meet the EU’s criteria. The drafts themselves include mechanisms for continual review, suspension or withdrawal in order to address any issues with the UK scheme which will no longer be subject to EU privacy regulations.

So, the UK’s data standards are sufficient for the EU going forward?

At present, these are only draft decisions and could be subject to change. However, the UK government has welcomed these and has stated it hopes that the EU will complete this approval process promptly. Although it is certainly early days, this is an encouraging step by the EU to progress the UK’s adequacy application. In the meantime, we are still in a period of a “bridge”, during which time the EU has agreed to delay any transfer restrictions for at least four months, with a potential to extend this to 6 months (with the latest date being first of July 2021).

Practically, this means that the data protection obligations owed by employers will continue to be similar to those imposed by the Data Protection Act 2018, and now the UK GDPR. Employers should continue to ensure that their data practices are in line with these obligations. We await further confirmation from the EU as to adequacy, however this is a positive start.