Data can keep flowing between the UK and Europe, the European Commission determined today, making its long-awaited decision on "adequacy" -- but warning that it "will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed."
The decision will prove a relief for enterprises concerned at the months of uncertainty surrounding EU-UK data flows that lingered after the Brexit agreement was signed. (Under GDPR and the Law Enforcement Directive, personal data can't be transferred outside the EU unless adequate safeguards are in place: e.g. via standard contractual clauses. The easiest and most robust way this can be proved for data controllers and data processors is via an adequacy decision under Article 45 GDPR and Article 36(3) LED respectively. The UK now has both.)
Secretary of State for Digital Oliver Dowden said the UK will now "focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people’s safety and privacy" as others, including techUK CEO Julian David noted the importance of the June 28 decision by the Commission.
As David put it: "Securing an EU-UK adequacy decision has been a top priority for techUK and the wider tech industry since the day after the 2016 referendum. The decision that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards and is of vital importance to UK-EU trade as the free flow of data is essential to all business sectors.
"The data adequacy decision also provides a basis for the UK and EU to work together on global routes for the free flow of data with trust... possibly unlocking €2 trillion of growth. The UK must also now move to complete the development of its own international data transfer regime in order to allow companies in the UK not just to exchange data with the EU, but also to be able to access opportunities across the world."
Data adequacy decision: MEPs fire warning shot.
The decision (which includes a four-year sunset clause) comes five weeks after a European Parliament resolution "on the adequate protection of personal data by the United Kingdom" saw MEPs warn that they were "deeply concerned about public statements by the UK Prime Minister declaring that UK will seek to diverge from EU data protection rules and establish its own ‘sovereign’ controls in this field; [and] consider that the 2020 UK national data strategy represents a shift from the protection of personal data towards a wider use and sharing of data that is incompatible with the principles of fairness, data minimisation and purpose limitation under the GDPR."
The European Commission noted that it will "continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the Commission decide to renew the adequacy finding, the adoption process would start again."
Yet as Dr Ian Brown and Professor Douwe Korff have noted, on divergence on data protection more generally, "it is notable that the UK already feels emboldened to signal that it wants to significantly depart from the EU rules. A UK Government-commissioned report released while the EU adequacy decisions are formally still pending, Report of the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR), states:
[The EU] GDPR is prescriptive, and inflexible and particularly onerous for smaller companies and charities to operate. It is challenging for organisations to implement the necessary processes to manage the sheer amounts of data that are collected, stored and need to be tracked from creation to deletion. Compliance obligations should be more proportionate, with fewer obligations and lower compliance burdens on charities, SMEs and voluntary organisations.
"Can we really trust the Commission’s pledge that it will 'closely monitor' any such 'lessening of burdens' and limiting of compliance?", they asked in a June 17 blog addressing what they had seen of the final draft adequacy decisions. "To judge by this flimsy UK adequacy decision, not an inch."
Curiously the Commission's adequacy decision highlights that "with respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards." Why curiously? The statement comes just four weeks after the European Court of Justice's Grand Chamber warned that the UK’s bulk surveillance regime — as revealed in the Edward Snowden leaks — violates the rights to privacy and freedom of expression under Articles 8 and 10 of the European Convention on Human Rights.
The Home Office disputed that characterisation in an email to The Stack: “The UK has one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world.This unprecedented transparency sets a new international benchmark for how the law can protect both privacy and security whilst continuing to respond dynamically to an evolving threat picture.
"The 2016 Investigatory Powers Act has already replaced large parts of the 2000 Regulation of Investigatory Powers Act (RIPA) that was the subject of this challenge. We note today’s [May 25ths] judgment.”
The EC's adequacy decision and associated documents are here.
HMG's response is here.