EU grants the UK provisional ‘data adequacy’ status

The UK criticises the EU for not already reaching this agreement prior to the formal Brexit withdrawal date

The European Commission (EC) has published a draft data adequacy decision for the UK, ensuring that data will continue to flow undisrupted from the EU to the UK.

The EU has concluded that the UK ensures an “essentially equivalent” level of data protection to both the General Data Protection Regulation (GDPR ) and the Law Enforcement Directive (LED). 

Brexit threatened to disrupt data flows because the UK had been relegated to a ‘third country’ by default, effectively putting an end to the free flow of data and information from the EU to the UK. This would have posed a massive challenge to businesses based in the UK that held or stored data in servers abroad, for example. Academic modelling also showed that the lack of such an agreement would have cost businesses up to £1.6 billion.

Although the UK managed to guarantee a six-month transitional period from the beginning of the year, the only way to permanently ensure data would continue to flow was by securing a data adequacy agreement. This would establish the UK as a secure ‘third country’ with harmonised data protection laws and practices. 

As part of the agreement, the EU will review the adequacy agreement at most every four years and monitor developments in the UK, as well as take note of other relevant international agreements the UK strikes. As such, the formal agreement can be revoked at any time in the future when it’s eventually struck, if the UK waters down its data protection laws to such an extent that they’re no longer essentially equivalent to GDPR.

“Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel,” said Věra Jourová, the EU’s vice president for values and transparency. 

“At the same time, we should ensure that our decision will stand the test of time. This is why we included clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development of the UK system after the adequacy would be granted.”

The UK government has welcomed the draft decision, suggesting that international data flows are essential in a world that’s becoming increasingly connected. Technical confirmation of the draft decision will help to ensure that UK businesses and organisations across various sectors can continue to operate undisrupted and without having to face extra costs.

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

The draft decisions published by the EC will now be shared with the European Data Protection Board (EDPB) for its non-binding opinion, before being presented to EU member states for formal approval.

The government added in its press release that it “made representations to the EU in a timely manner”, but that the European Commission failed to finalise draft decisions before the transitionary period ended.

“For this reason,” the statement continued, “as part of the UK/EU Trade and Cooperation Agreement, a time-limited bridging mechanism’ for personal data flows was agreed. This currently allows personal data to continue to flow as it did before the end of the Brexit transition period for up to six months, while the EU completes the adequacy process.

“The UK government now urges the EU to swiftly complete this technical process for adopting and formalising these adequacy decisions as early as possible.”

This bridging mechanism will remain in place until 30 June, or until the formal adequacy decisions come into effect. 

The Information Commissioner’s Office (ICO), which has prepared guidance and material for businesses over the last few years to prepare them for all eventualities, also welcomed the decision, branding it an important milestone. Information Commissioner Elizabeth Denham said the announcement gets the regulator a step closer to having a clear picture for organisations processing personal data from the EU.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

Senator reintroduces federal data protection bill
data protection

Senator reintroduces federal data protection bill

17 Jun 2021
A new trust model for the 5G era
Whitepaper

A new trust model for the 5G era

24 Jun 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021
Researchers send “unhackable” quantum data over 370-mile optical fiber
data protection

Researchers send “unhackable” quantum data over 370-mile optical fiber

11 Jun 2021

Most Popular

Best paying tech jobs of 2021
Careers & training

Best paying tech jobs of 2021

7 Jun 2021
OnePlus 9 Pro review: An instant cult classic
Hardware

OnePlus 9 Pro review: An instant cult classic

7 Jun 2021
Mythic launches power-sipping AI chip
Hardware

Mythic launches power-sipping AI chip

8 Jun 2021