Friday 12 Mar 2021 @ 16:25
techUK
Printable version

Understanding UK-EU data flows, what does data adequacy mean?

The European Commission has given preliminary approval of the UK’s data protection regime, and if adopted this will allow for the continued flow of personal data between the UK and EEA. But what does this decision say and what does it mean for UK-EU data flows in the long run?

Under Article 45 of the General Data Protection Regulation (GDPR), the European Commission has the power to determine whether a third-country offers an adequate level of data protection to that in the EU.

The adoption of an adequacy decision is broken down into four main steps. These include:

  • a proposal from the European Commission
  • an opinion of the European Data Protection Board (EDPB)
  • an approval from representatives of EU countries
  • the adoption of the decision by the European Commission

The adequacy decisions will be subject to review and the European Commission may be requested by the European Parliament and the Council to maintain, amend or withdraw the adequacy decision at any time.

On 19 February 2021, the European Commission provisionally greenlighted the adoption of two adequacy decisions for transfers of personal data to the UK. This followed a thorough technical assessment by the Commission which found the UK’s data protection regime as providing an equivalent level of protection to the GDPR and the Law Enforcement Directive (LED).

The decisions will now be scrutinised by the EDPB which will give an opinion on the Commission's assessment. After the opinion is given, the decision will progress to comitology before a final decision is taken by the European Council.

If the adequacy decisions are adopted, companies based in the UK that want to continue transferring data from the EU to the UK will not need to put in place an additional legal basis, such as Standard Contractual Clauses (SCCs), to transfer personal data with the EEA.

The European Commission’s draft implementing decision recognises that the structure and main components of the UK legal framework applying to data is very similar to the one applying to the EU. This is not only based on the UK’s domestic law which has been shaped by EU law but also stemming from the UK’s obligations enshrined in international law such as the European Convention on Human Rights and Convention 108.

The data adequacy standard does not require finding an identical level of protection or a point-to-point replication of EU law, in this case the GDPR. The litmus test lies in the ability of third countries to demonstrate a similar level of data protection to the EU through their own system, not just through their effective implementation, but also supervision and enforcement through Data Protection Authorities (DPAs) - which the European Commission has concluded that the UK’s data protection system does so.

Crucially, however, the draft decision notes that, unlike other partners, UK begins from a position of convergence, but has expressed a desire to make changes to its data protection regime. As a result, the UK’s adequacy decision is not focused on ensuring that the UK implements a series of actions to bring its data protection laws more in line with the EU’s over a period of time.

Rather, the Commission’s decision is designed to manage the UK’s divergence from European data protection law, pathways within the conclusions that could trigger a review and potential termination of the agreement.

These include:

  • The European Commission will monitor, on an ongoing basis, any relevant policy changes to data protection rules in the UK that may reduce the level of data protection offered.
  • The European Commission may repeal, partially or completely suspend, or amend the adequacy decision based on:
    • the process of resolving a complaint from a Member State DPAs who will report to the European Commission any concerns they have or where they find the UK is not offering an equivalent level of protection.
    • Any material changes to the UK’s international commitments, specifically its membership of and subjection to the European Convention of Human Rights and its Court (even though this commitment is enshrined in the EU-UK Trade and Cooperation Agreement).
  • The adequacy decision will be reviewed after four years after the date it enters into force and the European Commission will initiate the procedure to amend or extend this decision at least six months before this date. This ‘break’ could be the point where the Commission seeks to lay down more conditions and restrictions for the UK under this framework, to avoid more divergence.

Overall, the European Commission’s decision for the UK is very positive and warmly welcomed by both the EU and UK tech sectors which have been making clear the importance of a mutual data adequacy agreement since the Brexit referendum.

 

Channel website: http://www.techuk.org/

Original article link: https://www.techuk.org/resource/understanding-uk-eu-data-flows-what-does-data-adequacy-mean.html

Share this article

Latest News from
techUK

New CCS Chief Executive announced

24/04/2024 16:25:00

Last week, it was announced that the Crown Commercial Service had appointed it's new Chief Executive to replace Simon Tse when he retires this summer

Prime Minister announces significant increase in Defence spending

24/04/2024 13:20:00

Speaking yesterday at a NATO press conference in Poland, the Prime Minister committed to increase Defence spending to 2.5% of GDP by 2030, representing an additional £75bn in funding over the next 6 years.

Financial Conduct Authority publishes its response to work on big tech and data asymmetry in financial services

24/04/2024 11:20:00

Watch techUK’s Head of Financial Services, Andy Thornley, explain the FCA’s response to their work on big tech and data asymmetry in financial services!

Innovate to elevate: Can product design solve the UK's productivity paradox? (Guest blog from Exclaimer)

23/04/2024 11:25:00

Blog posted by: Vicky Wills, Chief Technology Officer, Exclaimer, 22 April 2024.

New National Cyber Security Centre CEO Announced

22/04/2024 11:25:00

Recently, Friday 19 April, the NCSC officially announced Richard Horne as the incoming Chief Executive Officer (CEO), succeeding Lindy Cameron who stepped down earlier this year.

NFCC Data, Digital and Technology Conference 2024

22/04/2024 10:25:00

The Digital, Data, and Technology (DDaT) Conference hosted by the National Fire Chiefs Council is a pivotal event designed to bring together senior leaders and practitioners in the fire service sector.

What the London Marathon can teach us about Open Finance and Digital Identity

19/04/2024 15:25:00

This Sunday 21st April, the 44th London Marathon takes place. With a world record of more than half a million hopefuls that have applied, it has become ever important for participants to share their journey around the city’s landmarks with their friends and family. Of course, just relying on spotting a runner’s face or individual number on their chest amongst this many people would be difficult, so how do the organisers solve this problem?

HMRC Publish Cross Justice Secure Mail PIN

19/04/2024 13:10:00

HMRC has just published a PIN to seek industry guidence to help define the requirements of future market competition.

techUK leads members delegation to the 8th edition of the UK-US SME Dialogue in Belfast

17/04/2024 16:25:00

On 15 and 16 April, techUK organized a members delegation to the 8th edition of the UK-US SME Dialogue in Belfast, Northern Ireland.

Facing the Future...find out more