Data, adequacy and the future relationship – an explainer
Conversation around the UK/EU trade deal has mostly focused on how goods will be exported and imported in the future. However, UK trade with the EU is also conducted away from customs locations, particularly when it comes to the trade in services which make up a majority of the UK’s trade with the EU.
The UK is a major data hub. While the UK makes up around 3% of global GDP, 11.5% of global cross-border data flows pass through the UK, 75% of this traffic is with the EU. Data is therefore a major component in the future relationship with the EU, with both the trade in goods and services underpinned by exchanges of data.
When the UK was a member of the EU, it was bound by common rules on data protection with the UK’s data protection authority, the Information Commissioner's Office (ICO), sitting on the pan European data protection forum - the European Data Protection Board (EDPB). As part of this arrangement the flow of data between the UK and the EU was relatively free, meaning individuals, companies and public authorities could transfer data across the EEA as if it were a single state, as long as data protection rules (the EU GDPR) were followed. Outside of this framework an additional legal basis needs to be found to transfer data with the EU, this is either through a country or sector wide solution known as data adequacy or specific business group, or entity to entity contractual solutions.
During the transition period, which ran till 31 December 2020, it was business as usual with no substantive changes in the ways most companies transfered personal data. However following the agreement of the Trade and Cooperation Agreement (TCA) the UK and EU published a joint statement agreeing a further bridge period of up to six months after the end of the transition period where personal data transfers to the UK will not be considered transfers to a third country. In effect extending the transition period for data transfers. The bridge mechanism took effect a the same time as the UK-EU trade agreement, 1 January 2021.
This means that during the period (intially four months long, but extendable up to six months) personal data can continue to flow as it did during the transition period. This period is to allow for the completion of an ongoing assessment of the UK's data protection rules to determine whether the UK will be granted data adequacy.
However, at the end of this period, unless a positive adequacy decision is given, the UK will default to become a third country and as a result there will be no intrinsic entitlement to allow data to be transferred between the UK and the EU requiring companies to find a new legal basis.
A positive adequacy decision between the UK and the EU is overwhemingly in the interests of both sides, as well as the thousands of UK and EU individuals, businesses and civil society groups that exchange data every day. An adequacy decision also does not place legal restrictions on the autonomy of either the UK or the EU, and supports the objectives of both sides for achieving a new and benefical trading relationship.
The below FAQs set out the circumstances under which personal data will be able to be exchanged between the U.K. and the EU in the event of a positive adequacy decision being granted, as well as, in the case where a decision is not reached how companies can create a new legal basis for data transfers.
- What is an adequacy decision?
- Does an adequacy decision mean the U.K. must follow EU rules?
- Will the UK’s data protection rules be different at the end of the transition period?
- How long does an adequacy decision take?
- What happens if an adequacy decision isn’t granted?
1. What is an adequacy decision?
Adequacy is a process created by the EU to certify that a country (or sector within a country) meets equivalent standards to EU rules on data protection.
Countries can apply for and may be granted adequacy by the European Commission if their data protection regimes are deemed to provide sufficient protections to personal data in their jurisdictions. This requires an assessment by the European Commission.
Receiving a full adequacy decision allows personal data to be transferred to and from the EEA as long as the relevant local data protection rules are followed. If the European Commission cannot grant a full decision, partial adequacy decisions can be granted allowing certain sectors or registered companies to transfer data. For example, the EU has a partial decision with Canada.
You can read more detail on adequacy and international transfers in techUK’s report No Interruptions.
2. Does an adequacy decision mean the UK must follow EU rules?
No. The political declaration between the two sides noted that the UK will be establish its own international transfer regime. This autonomy was confirmed in the final UK-EU TCA. The agreement contains a commitment from both the UK and EU to maintain high data protection standards as well as creating a Partnership Council and commitments to regulatory dialouge to allow the UK and EU to continue colaboration on data protection issues.
Under adequacy there will be a review by the EU of the UK’s adequacy status at least every four years, this will take into account any relevant developments, however this does not limit the legislative ability of the UK on data protection.
Adequacy also does not prevent the UK from negotiating and signing digital trade chapters in future free trade agreements. New Zealand holds an EU adequacy decision while also being a signatory of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTTP). Japan also holds an EU adequacy decision while being party to agreements and negotiations which cover digital trade, such as the CPTTP and the U.S.-Japan Digital Trade Agreement.
3. Will the UK’s data protection rules be different at the end of the transition period?
The UK’s departure from the EU will mean that the UK and EU will have legally separate approaches to data protection in the future. This is similar to other countries the EU has adequacy agreements with. Both the UK and EU have agreed in the TCA to ensure high levels of personal data protection and to work together on data protection issues.
Both the UK and EU will reform their own data protection rules over time. UK is currently reviewing its data strategy and international transfers regime, through the National Data Strategy, however major legislative changes are unlikley with the UK seeking to retain a UK version of the GDPR. The EU is also updating its own data protection rules through a review of the GDPR and the Digital Services Act and Digital Markets Act.
As long as the the UK and EU maintain high standards and equivilant levels of personal data protection then adequacy can be maintained, in spite of reforms to data protection rules. Both sides have committed to pursuing high standards and collaboration in data protection in the UK-EU TCA.
4. How long does an adequacy decision take?
The shortest time an adequacy decision has been completed in was 18 months (with Argentina).
However, because the UK and the EU apply very similar data protection laws the UK is an unprecedented case, meaning that it is hard to judge based on on past decisions.
The UK’s security services will come under scope in this decision. As a third country UK security services are not exempted from assessment under the adequacy process. This has been a known issue since before the assessment began and to address this the UK-EU TCA contains specific commitments when transfering personal data for security purposes.
During the additional six month bridge period if the UK makes specifc changes to its data protection regime, such as enacting new Standard Contractual Clauses or Binding Corporate Rules then the EU can halt the assessment and end the bridge period. This would result in a no adequacy outcome and force the UK and EU to exchange data on third country terms.
5. What happens if an adequacy decision isn’t granted?
If an adequacy decision is not granted by the end of the six month additional bridge period, the UK and EU will exchange data based on their individual international transfers rules.
At the moment as both the UK and EU have similar rules based on the GDPR there are clearly defined processes for transferring data requiring the use of appropriate safeguards, such as standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs).
The ICO has provides detailed information on appropriate safeguards, as well as examples of model clauses which can be used here.
The UK Government has already stated that it will automatically recognise the EU as adequate for data transfers. This means that outbound transfers of data from the UK to the EEA will not be restricted as long as UK data protection rules are followed.
However, the EU has made no such commitment meaning that appropriate safeguards would be needed for inbound transfers, from EEA based entities to the UK. If these are not followed EEA based entities could be investigated and fined by the data protection authority of the host member state.
For further information please see ICO guidance on international transfers, there is also UK Government guidance to help businesses prepare for a no adequacy outcome which can be found here.
