Data, adequacy and the future relationship – an explainer
How will the exchange of personal data be affected by the UK-EU future relationship?
Conversation around the UK/EU trade deal has mostly focused on how goods will be exported and imported in the future. However, UK trade with the EU is also conducted away from customs locations at sea, rail and airports, particularly when it comes to the trade in services which make up a majority of the UK’s trade with the EU.
The UK is a major data hub, while the UK makes up around 3% of global GDP, 11.5% of global cross-border data flows pass through the UK, 75% of this traffic is with the EU. Data will therefore be a major component in the future relationship with the EU, with both the trade in goods and services underpinned by exchanges of data.
When the U.K. was a member of the EU it was bound by common rules on data protection with the UK’s data protection authority, the ICO, sitting on the pan European data protection forum, the European Data Protection Board (EDPB). As part of this the flow of data between the UK and the EU was relatively free, meaning individuals, companies and public authorities could transfer data across the EEA as if it were a single state, as long as data protection rules (the EU GDPR) were followed. Outside of this framework an additional legal basis needs to be found to transfer data with the EU, this is either through a country wide solution known as data adequacy or specific entity to entity contractual solutions.
During the transition period there is no change to UK data protection and transfer rules, it will be business as usual as set out here in a notice from the ICO. Following the agreement of the Trade and Cooperation Agreement (TCA) the UK and EU published a joint statement agreeing a further bridge period of up to six months after the end of the transition period where personal data transfers to the UK will not be considered transfers to a third country. In effect extending the transition period for data transfers.
This means that during the period (intially four months long, but extendable up to six months) personal data can continue to flow as it did during the transition period. This period is to allow for the completion of an ongoing assessment of the UK's data protection rules to determine whether the UK will be granted data adequacy.
However, at the end of this period, unless a positive adequacy decision is given, the U.K. will default to become a third country, no longer part of the EU’s data protection regime and as a result there will be no intrinsic entitlement to allow data to be transferred between the U.K. and the EU requiring a new legal basis.
A positive adequacy decision between the UK and the EU is overwhemingly in the interests of both sides, as well as the thousands of UK and EU individuals, businesses and civil society groups that exchange data every day. An adequacy decision also does not place legal restrictions on the autonomy of either the UK or the EU, and supports the objectives of both sides for achieving a new and benefical trading relationship.
The below FAQs set out the circumstances under which personal data will be able to be exchanged between the U.K. and the EU in the event of a positive adequacy decision being granted as well as in the case where a decision is not reached how companies can create a new legal basis for data transfers.
- What is an adequacy decision?
- Does an adequacy decision mean the U.K. must follow EU rules?
- Will the UK’s data protection rules be different at the end of the transition period?
- How long does an adequacy decision take?
- What happens if an adequacy decision isn’t granted?
1. What is an adequacy decision?
Adequacy is a process created by the EU to certify that a country (or sector within a country) meets equivalent standards to EU rules on data protection.
Countries can apply for and may be granted adequacy by the European Commission (EC) if their data protection regimes are deemed to provide sufficient protections to personal data in their jurisdictions. This requires an assessment by the European Commission.
Receiving a full adequacy decision allows personal data to be transferred to and from the EEA as long as the relevant local data protection rules are followed. If the EC won’t grant a full decision, partial adequacy decisions can be granted allowing certain sectors or registered companies to transfer data. For example, the EU has a partial decision with Canada.
You can read more detail on adequacy and international transfers in techUK’s report No Interruptions.
2. Does an adequacy decision mean the U.K. must follow EU rules?
No. The political declaration between the two sides notes that the UK will be establishing its own international transfer regime while the guidance in the UK and EU’s drafts of their negotiating objectives notes that both the UK and EU will retain autonomy over the design of their own data protection rules.
Under adequacy there will be a review by the EU of the UK’s adequacy status at least every four years, which will take into account any relevant developments, however this does not limit the legislative ability of the UK on data protection.
Adequacy also does not prevent the UK from negotiating and signing digital trade chapters in future free trade agreements. New Zealand holds an EU adequacy decision while also being a signatory of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTTP). Japan also holds an EU adequacy decision while being party to agreements and negotiations which cover digital trade, such as the CPTTP and the U.S.-Japan Digital Trade Agreement.
3. Will the UK’s data protection rules be different at the end of the transition period?
The UK’s departure from the EU will mean that the UK and EU will have legally separate approaches to data protection in the future. This is similar to other countries the EU has adequacy agreements with.
As we understand it there are no plans for new UK laws on data protection, none were announced in the Government’s Queens speech. Further in the Governments outline of its negotiating position in a written statement to Parliament the Prime Minister set out that the UK would have exactly the same regime on data as the EU at the point of exit.
The UK is currently reviewing its data strategy and international transfers regime, however major legislative changes are likely some time away. Similarly, the EU is looking at updating its own data protection rules through a review of the GDPR.
During the additional six month bridge period if the UK makes specifc changes to its data protection regime, such as enacting new Standard Contractual Clauses or Binding Corporate Rules then the EU can halt the assessment and end the bridge period. This would result in a no adequacy outcome and force the UK and EU to exchange data on third country terms.
4. How long does an adequacy decision take?
The shortest time an adequacy decision has been completed in was 18 months (with Argentina).
However, because the UK and the EU apply very similar data protection laws the UK is an unprecedented case, meaning that it is hard to judge based on on past decisions.
The UK’s security services will come under scope in this decision. As a third country UK security services are not exempted from assessment under the adequacy process.
This has been a known issue since before the assessment began.
The EU will be able to insist on conditions when granting adequacy that could allow the UK and the EU to reach a positive outcome. The EU and the UK may also agree a security partnership through the FTA negotiations which could support a positive adequacy decision.
5. What happens if an adequacy decision isn’t granted?
If an adequacy decision is not granted by the end of the six month additional bridge period, the UK and EU will exchange data based on their individual international transfers rules.
At the moment as both the UK and EU have similar rules based on the GDPR there are clearly defined processes for transferring data requiring the use of appropriate safeguards, such as standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs).
The ICO has provides detailed information on appropriate safeguards, as well as examples of model clauses which can be used here.
In the preparations for the end of the transition period the UK Government has stated that it will automatically recognise the EU as adequate for data transfers. This means that outbound transfers of data from the UK to the EEA will not be restricted as long as UK data protection rules are followed.
However, the EU has made no such commitment meaning that appropriate safeguards would be needed for inbound transfers, from EEA based entities to the UK. If these were not followed EEA based entities could be investigated and fined by the data protection authority of the host member state.
For further information ICO guidance on international transfers can be found here.
Latest News from
£3m to fund new wave of Artificial Intelligence for the Military15/01/2021 16:25:00
techUK members have won funding as part of the DASA Intelligent Ship Phase 2 competition.
Defence Digital and techUK publish joint list of signatories to collaboration Code of Practice15/01/2021 13:33:00
Following the recent launch of a new Code of Practice for collaboration, techUK and Defence Digital are delighted to share a joint list of MOD and industry signatories to the code.
Avon and Somerset Police Proof of Concept (PoC)15/01/2021 11:25:00
Guest Blog: Phillip Ridley, Senior Business Development Consultant at 1Spatial and 'Interoperability in Policing' Working Group member shares his recent work with Avon & Somerset Police in the world of spatial data.
Ofcom report: Technology Futures14/01/2021 16:05:00
The UK's communications regulator Ofcom has published a new report, Technology Futures, that shines a spotlight on the innovative, emerging technologies that could shape the communications industry in the future.
5G Create trials to utilise Open RAN14/01/2021 11:25:00
The UK Government’s 5G Testbeds and Trials Programme has announced the latest projects to receive funding for innovative new uses of 5G, following the 5G Create competition.
Digital Ethics Summit 2020 Day One- Lessons to be learnt from 202011/01/2021 14:25:00
Summary of day one at techUK's Digital Ethics Summit 2020.
Digital Ethics Summit 2020 Day Two- Moving Forward in 202111/01/2021 13:33:00
Summary of day two at techUK's Digital Ethics Summit 2020.
Contribute a case study to techUK’s landmark digital twins report!11/01/2021 09:15:00
techUK is aiming to kick-off 2021 in style with the release of a landmark report ‘Unlocking value across the UK’s digital twin ecosystem’.