The European Commission has indicated that it will soon grant data adequacy to the UK, resolving a potentially troublesome issue remaining from Brexit.
It said it has launched the process towards the adoption of two adequacy decisions for transfers of personal data between the two sides – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive – and that their publication is the beginning of a process towards their adoption by the European Council.
This will permit the continued free flow of personal data between the European Economic Area (EEA) and the UK, which has continued under a six-month bridging agreement as part of the trade deal between the two sides agreed late last year.
It has a relevance to the UK public sector in easing the way to the future of cloud services under which data resides in data centres in continental Europe or the Republic or Ireland.
The issue has come up in discussions organised by UKAuthority for public sector digital leaders, who have cited it as a potential complication for the future use of cloud. The EU decision will effectively give the UK public and private sectors more flexibility in the use of cloud.
It could also have a bearing on the exchange of information to in law enforcement.
Co-operation against crime
Didier Reynders, EU commissioner for justice, said: “A flow of secure data between the EU and the UK is crucial to maintain close trade ties and co-operate effectively in the fight against crime.
“Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the UK after it has left the EU. Now European data protection authorities will thoroughly examine the draft texts. EU citizens' fundamental right to data protection must never be compromised when personal data travel across the Channel.
“The adequacy decisions, once adopted, would ensure just that.”
Under GDPR transfers of personal data to non-EU/EEA countries are not automatically allowed, requiring an additional legal basis such as the data adequacy decision.
It will now be scrutinised by the European Data Protection Board before going to the European Council. If it is adopted, UK organisations that want to transfer data between the side will not need to put in place additional legal arrangements.
The Commission said it will be reviewed after four years.
The UK government has expressed its relief at the move. Secretary of State for Digital Oliver Dowden said: “I welcome the publication of these draft decisions which rightly reflect the UK’s commitment to high data protection standards and pave the way for their formal approval.
“Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework.
“I now urge the EU to fulfil their commitment to complete the technical approval process promptly, so businesses and organisations on both sides can seize the clear benefits.”
IT industry association techUK also welcomed the announcement, having advocated the continuation of the free flow of data since the EU referendum.
Its chief executive officer Julian David said: “The European Commission decision that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards. Today's decisions are warmly welcomed by the tech sector which has been making clear the importance of a mutual data adequacy agreement since the day after the referendum.”
Image from iStock, mixmagic