EU grants UK data adequacy for a four-year period
The decision recognizes that the UK’s rules — which are, in effect, the EU’s — were satisfactory to meet the EU’s level of protection. The decisions are requirements under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive allowing data to flow freely from the EU to the UK.
British Prime Minister Boris Johnson asked leading Brexit supporters, including Iain Duncan Smith MP, to form a taskforce to “seize the new opportunities from leaving the EU”. One of the areas identified by the taskforce was GDPR, which it considers to be a barrier to innovation and growth.
In its final report, the taskforce specifically identifies articles 5 and 22 of the GDPR as
detrimental to business. Article 5 of GDPR requires data be “collected for specified, explicit and legitimate purposes” and “adequate, relevant and limited to what is necessary”. The taskforce believes that this limits the development of AI technologies.
Article 22 of GDPR stipulates that individuals should “[not] be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her”, the UK side argues that including human review, might result in decisions that are wrong, not explainable or biased and say that automated decision-making should not be based solely on explicit consent, but could be used where there was a legitimate or public interest in play.
Values and Transparency Vice President Věra Jourová said: “The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today.” Jourová acknowledged the concern of Parliament over the possibility of UK divergence, but said there were significant safeguards.
Justice Commissioner Didier Reynders said: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime.”
For the first time, the adequacy decisions include a ‘sunset clause’, which strictly limits their duration. This means that the decisions will automatically expire after four years. After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection.
The Commission has confirmed that during these four years, it will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place.
Julian David, CEO of TechUK, a trade body for the UK digital sector, said: “Securing an EU-UK adequacy decision has been a top priority for techUK and the wider tech industry since the day after the 2016 referendum. The decision that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards and is of vital importance to UK-EU trade as the free flow of data is essential to all business sectors.”
The UK is hoping that developments on this question can be developed through the G7 Digital and Technology sector co-ordination agreement.
Rafi Azim-Khan, Head of Data Privacy at international law firm Pillsbury, said: “You could probably power the UK’s entire offshore wind fleet with the sigh of relief from UK businesses. The UK has now secured a data law adequacy finding from the EU. This is a very big deal for any businesses operating in the UK, as it avoids complications that could have interfered with data flows from the EU to the UK, in the same way transfers beyond the EU to the US, Far East and other countries are affected.
“It must be remembered that EU rules have been driving data-law changes across the world. The GDPR is often viewed as the gold standard of data-privacy laws and has had a major ripple effect such as influencing new laws, such as in Brazil and California. The EU is seemingly prepared to take a hard line over changes to the GDPR. It’s likely the UK will stay pretty much in lockstep with Europe, perhaps with some tinkering to help fit ‘Global Britain’ efforts.”