The European Union (EU) has formally approved Britain's post-Brexit data protection standards and will allow data to continue to “flow freely” between the continent and the UK.
The move follows over a year of deliberations, during which the European Commission (EC) assessed the overall level of data protection in the UK and its compatibility with the EU's General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED).
The EC announced on Monday that it has adopted the ‘data adequacy’ decisions, allowing UK businesses and organisations to continue to receive personal data from the EU and the European Economic Area (EEA), without the need for additional arrangements with individual states.
The UK’s “adequate” status is guaranteed for four years, but the Commission warned it could be withdrawn if UK law was no longer deemed to offer EU citizens protection over how their data was used. This 'sunset clause' comes as the UK government mulls plans to scrap current data protection laws, labelling GDPR as "prescriptive and inflexible”.
Still, for now, te news “will be greeted with much relief by businesses”, according to Jon Baines, senior data protection specialist at law firm Mishcon de Reya. If it had not been approved, the UK’s businesses would “have been faced with having to consider costly alternative measures to continue those data flows”, he added.
"But no one should assume that the story ends here,” said Baines. “The EC will continue to monitor the UK's data-related laws and practice, and if it feels there is notable divergence from the EU model, it has the power to cancel the agreement. There will also certainly be some people watching closely from the sidelines, such as those in the civil society sector, who may bring challenges to the legality of the decision itself, or of data transfers made under the decision."
This time last year, the adequacy agreement was still up in the air, largely due to the UK’s data-sharing agreement struck with the US which was thought to be incompatible with the EU’s existing data protection laws.
IT Pro 20/20: What the EU's new AI rules mean for business
The 17th issue of IT Pro 20/20 considers the effect of new regulations on the IT industry
However, earlier this year, the UK’s data protection standards were found to be ‘adequate’ in a draft of the decision, with the verdict having been officially confirmed today.
CBI director of Policy, John Foster, described the “free flow of data” as “the bedrock of the modern economy”, adding that it’s essential for firms across all sectors– from automotive to logistics” and plays “an important role in everyday trade of goods and services”.
Meanwhile, techUK CEO Julian David said that the agreement could potentially unlock an estimated “€2 trillion of growth”.
“The UK must also now move to complete the development of its own international data transfer regime in order to allow companies in the UK not just to exchange data with the EU, but also to be able to access opportunities across the world,” he added.
