WHAT NEXT FOR THE UK’S DATA PROTECTION REGIME? T “
his will be welcome news to businesses, support continued cooperation between the UK and the EU, and help law enforcement authorities keep people safe.”
This was how digital secretary Oliver Dowden greeted news at the end of June that the European Commission had – “after more than a year” of discussions, the cabinet minister admitted – granted data adequacy status to the UK.
The decision, which allows data to flow between organisations in this country and the remaining 27 EU member states, ratifies that the UK’s laws “ensure a level of protection for personal data… that is essentially equivalent” to the EU.
Although approval took longer than many had hoped – coming six months after the end of the Brexit transition period – it is perhaps no surprise that the UK received the green light in the end. A UK version of the EU General Data Protection Regulation has been signed into our domestic law, alongside the Data Protection Act, which offers similar assurances.
Jon Baines, senior data protection specialist at business law firm Mishcon de Reya, tells CSW that, for organisations moving data between the EU and the UK, the continued absence of an adequacy decision would have meant every transfer would have come with “a need for contractual arrangements… [and] every time you would have to add in a list of clauses”.
“It would have added significant costs in terms of time,” he says.
Indeed, a November 2020 report from the New Economics Foundation and UCL European Institute – to which Baines contributed – estimated that the collective cost to the UK economy of failing to obtain adequacy would be as much as £1.6bn.
The decision means that data can now flow in both directions, in the certainty that the legal protection it receives in this country matches and complies with that of any EU nation.
But not covered by the adequacy decisions is the processing and transfer of information for the purposes of immigration control or enforcement.
This is because, in those cases, the UK Data Protection Act effectively provides an exemption that means personal data does not enjoy the same rights and protections as when it is being used for other business, public service, or law enforcement purposes.
The commission’s decision to exclude immigration data from the adequacy framework – which marked a divergence from the draft decision the commission published earlier this year – came in light of a successful legal challenge to the act’s immigration exemption, which the Court of Appeal recently ruled is incompatible with UK law.
“The commission will reassess the need for this exclusion once the situation has been remedied under UK law,” it said in a statement when granting the adequacy decision.
The EU may have granted its former member state adequacy, but there will be many more issues to resolve in the coming years. Sam Trendall explores.