Brexit – Temporary Data Adequacy Granted to the UK

Worries about the disruption of the flow of data and the effect of this on trade between the UK and EU countries with Brexit have been addressed by the granting of controversial, short-term data adequacy status to the UK.

What Is Data Adequacy?

For third countries, i.e. those outside the European Economic Area (EEA) of the EU (outside the DGPR zone), to be allowed to be granted cross-border data transfer without the need for further authorisation from a national supervisory authority or extra compliance burdens, the third country must prove that it has the right data protection measures and laws in place (i.e. those that are compatible with and are approved by the EU).  If these are in place, the third country can be granted data adequacy status which enables the free flow of data. Countries which have data adequacy status include Andorra, Argentina, Canada Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.  Data adequacy status is also granted to sectors of an economy, or international organisations as well as countries.

Prior to the final Brexit date, the UK had not yet been granted full data adequacy status, so a temporary measure was needed in the interim.

Temporary Data Adequacy Granted

Under the EU-UK Trade and Cooperation Agreement concluded in December 2020, the EU granted temporary data adequacy status to the UK.  For data, The EU is, therefore, still currently treating the UK as part of the EU (not a third country), subject to certain conditions i.e., UK ministers cannot use Exit Regulations to determine or revoke data adequacy decisions.

For How Long?

TCA agreement on the data adequacy status means that it could apply for four to six months from 1 January 2021, or when data adequacy is fully granted. There is, however, some mutual consent between the EU and UK Partnership Council that could give further flexibility to this agreement.

Issues

Critics, such as Douwe Korff, professor of international law at London Metropolitan University, have argued, however, that there many reasons why the idea of the UK being granted this temporary third country status under EU law is unacceptable.  In short, Professor Korff argues that there are five good reasons why the UK being granted this kind of status are unacceptable in law, which are that:

1. This undermines EU data protection law as guaranteed by the EU Treaties, the EU Charter of Fundamental Rights and the EU data protection instruments as interpreted by the Court of Justice of the EU.

2. The issue of data protection (including in respect of transfers of personal data) should not be addressed in a free trade agreement.

3. UK mass surveillance, which is directly relevant to the issues of data protection adequacy and data transfer, is not being considered.

4. The specified four to six months period can be extended by the EU and the UK at will.

5. It appears to be assumed that a positive adequacy decision on the UK will be issued within the “stipulated period” i.e., four to six months.  This is not a certainty.

What Does This Mean For Your Business?

Since the UK has recently departed from the EU and, therefore, was already up to date with EU data protection laws, it would have been unfair to immediately treat the UK as a third country, hence the temporary arrangement.  The secure free flow of data without the need to comply with additional regulations or to face costly, complex, or time-wasting hurdles are essential for UK businesses to maintain their competitiveness.  The fact that this temporary agreement is flexible (e.g. four to six months or longer by agreement) is a double-edged sword because although it is convenient now, it doesn’t provide certainty going forward.  It is also worrying that some legal expert commentators have spotted potential legal flaws in the existing arrangement which could represent another threat for UK businesses looking for consistency and more certainty.  If the UK, at any point chooses to let its data laws and practices fall below EU standard, this could lead to negative consequences for businesses dealing with EU countries, so it is in the UK’s interests now to make sure that the increasingly important matter of data and data security are areas where standards are continually monitored and improved.