EU recognises the UK’s Data Protection Act as adequate but…

The EU formally announced on 28 June that it has recognised the UK’s data protection law as adequate to enable the free flow of personal data from the European Economic Area to the United Kingdom.

This 93 page document gives a very thorough assessment which starts by describing the framework of democracy and law in the UK, even referring to the Magna Carta and the Bill of Rights 1689, and more recently the UK’s ratification in 1987 of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).

As expected, this EU document states “As the UK GDPR is based on EU legislation, the data protection rules in the United Kingdom in many aspects closely mirror the corresponding rules applicable within the European Union” and is therefore, “essentially equivalent.”

The UK’s future independent path to minimise burdens on organisations

The UK government’s response is enthusiastic “The UK government welcomes the move, which rightly recognises the country’s high data protection standards.” However, at the same time it gives an indication of the development of the UK’s data protection policy in the future. “The government plans to promote the free flow of personal data globally and across borders, including through ambitious new trade deals and through new data adequacy agreements with some of the fastest growing economies, while ensuring people’s data continues to be protected to a high standard.”

It sets a clear independent path stating “All future decisions will be based on what maximises innovation and keeps up with evolving tech. As such, the government’s approach will seek to minimise burdens on organisations seeking to use data to tackle some of the most pressing global issues, including climate change and the prevention of disease.”

Secretary of State for Digital, Oliver Dowden, in a balanced statement said: “We will now focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people’s safety and privacy.”

The EU’s uses a 4 year sunset clause for the first time

It is this UK potential divergence from the EU GDPR standard that has attracted critical attention in the European Parliament and elsewhere. This is the reason that Věra Jourová, Vice-President for Values and Transparency, said: “ … we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK's privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.”

Didier Reynders, Commissioner for Justice, said: …“The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”

The EU’s official statement contains an explicit warning to the UK:

“For the first time, the adequacy decisions include a so-called ‘sunset clause', which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection. During these four years, the Commission will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the Commission decide to renew the adequacy finding, the adoption process would start again.”