UK granted data adequacy by the European Commission
On 19 February 2021, the European Commission launched the process towards adopting two adequacy decisions after having assessed the UK’s data protection regime as providing an equivalent level of protection to the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive. These decisions, if adopted by the European Council, will grant the UK ‘data adequacy’ permitting the continued free flow of personal data between the European Economic Area (EEA) and the UK.
Under the EU GDPR transfers of personal data to non-EU/EEA countries are not automatically allowed, requiring an additional legal basis. Data adequacy decisions provide such a legal basis and are granted to countries which demonstrate an equivalent level of data protection to the EU GDPR.
Personal data was still able to be exchanged freely between the UK and the EU during the transition period between 31 January 2020 and 31 December. The EU-UK Trade & Cooperation Agreement (TCA) signed on 24 December 2020 included a bridging mechanism up until June 2021 to extend this as there was insufficient time for the European Commission to complete its data adequacy assessment before the end of the transition period.
The decision will now be scrutinised by the European Data Protection Board which will give an opinion on the Commission's assessment. After the opinion is given, the decision will progress to comitology before a final decision is taken by the European Council.
If the adequacy decisions are adopted, companies based in the UK that want to continue transferring data from the EU to the UK will not need to put in place an additional legal basis, such as Standard Contractual Clauses (SCCs), to transfer personal data with the EEA. The adequacy decision will be reviewed after four years.
Since the day after the 2016 EU referendum, techUK members with bases in the UK and the EU have advocated for the continued free flow of data between the UK and the EU as one of their core priorities.
According to a report by the New Economics Foundation and the UCL European Institute, the additional compliance obligations resulting from not receiving data adequacy could have cost the UK economy up to £1.6 billion.The decision by the European Commission that the UK is adequate is significant for both the UK and EU tech sectors which raised a combined $41bn in investment in 2020 and are at heart of the post-COVID 19 economic recovery plans. Combined with the non-discrimination and data flows provisions within the UK-EU TCA, this decision will enable UK and EU technology companies to access the maximum benefits from the new UK-EU trading relationship.
Commenting on the data adequacy decisions, techUK CEO Julian David said:
The European Commission decision that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards. Today's decisions are warmly welcomed by the tech sector which has been making clear the importance of a mutual data adequacy agreement since the day after the referendum. Receiving data adequacy, alongside the EU-UK Trade and Cooperation Agreement, will set a solid foundation for digital trade with the EU, including strong non-discrimination clauses and positive data flows provisions, that will give businesses the confidence to invest. As we go forward, the UK must also complete the development of its own international data transfer regime, allowing UK companies not just to exchange data with the EU, but also to be able to access global opportunities.
Alessandra is techUK’s Policy Manager for Data. She sits in the Policy team and works closely with techUK’s Technology and Innovation team.
Her work is focused on key issues such as the UK’s National Data Strategy, international data transfers, data protection and Smart Data. Prior to joining techUK, Alessandra worked for a public policy consultancy where she helped international technology companies navigate the risks and opportunities of digital policy.
Alessandra has experience working for the European Asylum Support Office, the Malta High Commission in London during Malta’s first rotating presidency of the Council of the EU, and the European Parliament. She has an academic background in public policy and European studies.
As Head of Policy Neil leads techUK's domestic policy development. He regularly engages with UK and Devolved Government Ministers, senior civil servants and Members of the UK’s Parliaments with the aim of supporting government and industry to work together to make the UK the best place to start, scale and develop technology companies.
Neil joined techUK in 2019 to lead on techUK’s engagement in the UK-EU Brexit trade deal negotiations, as well as leading on economic policy.
He has a background in the UK Parliament and in social research. Neil holds a masters degree in Comparative Public Policy from the University of Edinburgh and an undergraduate degree in International Politics from City, University of London.
Sue leads techUK's technology and innovation work at techUK.
This includes work programmes on cloud, data protection, data analytics, AI and Internet of Things as well as emerging and transformative technologies and innovation policy. She has been recognised as one of the most influential women in UK tech by Computer Weekly and as a key influencer in driving forward the Big Data agenda in the UK Big Data 100. Sue has also been shortlisted for the Milton Keynes Women Leaders Awards and was a judge for the Loebner Prize in AI. In addition to being a regular industry speaker on issues including AI ethics, data protection and cyber security, Sue was recently a judge for the UK Tech 50 and is a regular judge of the annual UK Cloud Awards.
Prior to joining techUK in January 2015 Sue was responsible for Symantec's Government Relations in the UK and Ireland. She has spoken at events including the UK-China Internet Forum in Beijing, UN IGF and European RSA on issues ranging from data usage and privacy, cloud computing and online child safety. Before joining Symantec, Sue was senior policy advisor at the Confederation of British Industry (CBI). Sue has an BA degree on History and American Studies from Leeds University and a Masters Degree on International Relations and Diplomacy from the University of Birmingham. Sue is a keen sportswoman and in 2016 achieved a lifelong ambition to swim the English Channel.