Brexit Manoeuvres: the UK’s Path to Data Protection Adequacy

The United Kingdom (“UK”) left the European Union (“EU”) on 31 January 2020 and entered into a transition period that is due to end on 31 December of this year. During this period, the UK remains subject to EU laws and rules, including the General Data Protection Regulation (“GDPR”). Once the transition period has come to an end, personal data will no longer be able to flow freely between the EU and the UK; instead, data controllers and processors wishing to transfer personal data between the EU and the UK will need to comply with cross-border transfer provisions under both the GDPR and the new UK version of the GDPR.

With respect to transfers from the UK to the EU, the UK government has indicated an intention to grant an adequacy decision in favour of the EU, thereby enabling the transfer of personal data from the UK to the EU without the requirement for any additional provisions.

For transfers from the EU to the UK though, the UK must go through the European Commission (the “Commission”) adequacy assessment process in order to benefit from an adequacy decision that would allow free flow of personal data from the EU to the UK. On 3 February 2020, the Commission authorised the opening of negotiations for a new partnership with the UK.

On 24 February 2020, the European Data Protection Supervisor (“EDPS”) published an opinion on the Commission’s opening of the partnership negotiations and noted that it supported the Commission’s endeavour to achieve as much as possible during the transition period and that “being close neighbours, the EU and UK will continue to have many interests in common so that an extensive exchange of information, including personal data, between the EU and the UK can be expected”.

The EDPS also noted that, given the unique status of the UK as a former member state of the EU, any substantial deviation from EU law that would result in lowering the level of protection for personal data would be an important obstacle to a finding of adequacy. Currently, the UK is bound by EU rules and will remain so at the end of the transition period. This point was made in the UK government’s written statement of 3 February 2020, which stated that at the point of exit the UK will be operating on exactly the same regulatory framework as the EU. However, that statement did also note that the UK will, in the future, develop separate and independent policies in areas such as data protection. As any adequacy decision would be continually monitored, any deviation from EU laws that would lower the level of protection for personal data may result in a complete or partial repeal or suspension of any adequacy decision in favour of the UK.

It is clear from the publications released so far that all parties involved are prima facie committed to entering into a partnership that enables the free transfer of personal data. However, evidently there are potential obstacles that may prevent an adequacy decision from being adopted or maintained. Businesses should therefore take the opportunity to consider alternative tools for data transfers from the EU to the UK, such as standard contractual clauses or binding corporate rules.