Will the EU assess the UK to be adequate enough?

I am delighted to announce that John Whittingdale, Minister of State for Media and Data, has kindly agreed to write an article on personal data policy for the March edition of PL&B UK Report and give a keynote presentation at PL&B’s 34th Annual International Conference 4-6 July this year.

The UK government is confident that an agreement will be reached with the EU. On 11 January, Whittingdale declared in Parliament: “Given we have an existing data protection framework that is equivalent to the EU’s, we see no reason why the UK should not be awarded adequacy and we expect the process to be concluded promptly.”

However, the mood in Brussels is more cautious. Three days later, the European Commission’s chief negotiator on this issue, Bruno Gencarelli gave a statement to the European Parliament’s LIBE (Civil Liberties, Justice and Home Affairs) Committee (10.44h. to 10.52h) when he explained the hurdles to overcome in the 4-6 month transition period before there could be an adequacy declaration for the UK.

While we at Privacy Laws & Business have reported on the nerve wracking Brexit process (pp. 1, 10, and 21), it seems to us more likely than not that the additional transition period for personal data of up to six months will enable the European Commission and the UK government to reach some kind of agreement to keep most of the personal data flowing from the European Economic Area (EEA) to the UK. Based on my experience, of European Commission approval of first the EU-US Safe Harbor and then the EU-US Privacy Shield, I expect that the final decision will be taken on political and economic rather than legal grounds.

If the UK is not deemed to have an adequate data protection law, what are the chances of success for other applicant countries?

Expanding its horizon, the UK government’s DCMS Department has been very active in negotiating bilateral data agreements with countries outside the European Economic Area, for example, with Canada and Switzerland, as we heard in our conference sessions last month and we will return to this subject.

Data links with countries outside the EEA also negotiated by the ICO

When it comes to nurturing data links with Data Protection Authorities in countries outside the EEA, the ICO has in the last 18 months been actively taking its own initiatives, as can be seen in its announcements of Memorandums of Understanding (MoUs) with Data Protection Authorities in the Philippines this month, the US Federal Trade Commission (December 2020), Hong Kong (July 2020), Australia (January 2020), Singapore (June 2019) and Canada (undated document).

These initiatives are undoubtedly assisted by Elizabeth Denham’s role as Chair of the Global Privacy Assembly which enables her to build on these multilateral links.

The ICO’s other MoUs

The ICO has published a total of 44 MoUs, clear evidence of the ICO’s drive to forge links with other regulators and they range across many areas. The most recent was with the Global Cyber Alliance, published in December 2020.

MoUs with private sector regulators include those with the Advertising Standards Authority, the Competition and Markets Authority, the Financial Conduct Authority, Ofcom and Ofgem. MoUs with the UK public sector include those with the Criminal Records Office (2015), the Care Quality Commission (March 2019) and Transport for London (January 2018).

There is an MoU with the UK Intelligence Community (February 2020) which includes Ml5, SIS and GCHQ. It is the way in which data protection law applies in the intelligence and national security field which is expected to be subject to particular scrutiny by the European Commission because of the way in which such data is shared with other countries outside the EEA, particularly the United States where privacy protections are very patchy.

We will maintain our close links with the DCMS and the ICO to keep you well informed.


Stewart Dresner, Publisher


UK Report 113

Lead stories:

Common sense prevails in post-Brexit data transfers

The Interim Agreement enables seamless data transfers to the UK while the EU Commission still works on the UK adequacy decisions. By Lucas Atkin of Greenwoods GRM LLP.

Five takeaways from the Experian enforcement action

Ben Sigler and Katie Hewson of Stephenson Harwood LLP look at the details of the ICO’s enforcement notice on Experian, and provide guidance for marketeers. 

Click for full contents list