UK data adequacy – still a waiting game?
If your business regularly transfers data between the EU and UK, should you still be waiting to see whether the UK is granted an adequacy decision? The signs are hopeful, but would you be wasting resource by preparing for a no adequacy scenario? Is there any advantage to taking action now?
The story so far
Throughout the Securys webinar series on Brexit and International Data Flows, we have suggested that a prudent approach for organisations who regularly transfer personal date between the EU and UK is to prepare for the UK to be a third country by mapping data flows, working with processors to understand local laws and surveillance regimes, completing transfer impact assessments and putting appropriate and specific safeguards in place. That remains our advice as this work will help to increase control over personal data and provide additional protection to data subjects. Whilst this approach is not necessary for transfers between EU member states, it is essential for transfers to third countries and is also an appropriate approach for transfers to countries with adequacy decisions subject to review.
In November 2020, in the wake of the Schrems II judgement revoking adequacy via Privacy Shield for transfers to the US, the European Commission published new draft Standard Contractual Clauses (SCCs) to be used when transferring data to third countries. The new draft SCCs include a requirement for consideration of local data protection laws, for a transfer impact assessment and contain provisions relating to access by public authorities as part of a surveillance regime.
What are organisations doing?
During the Securys webinar held in January 2021, during the extended transition period of up to six months where the UK is not a third country pending a possible adequacy decision, we asked attendees about their preparations. Just 10% were confident that the UK would get an adequacy decision. 27% were actively preparing for the UK to become a third country without an adequacy decision and 63% were waiting to see what happened before taking any significant action.
There are some positive signals on UK adequacy from the EU, but still some hurdles to overcome.
In February, the European Commission released a draft adequacy decision concluding that the UK ensures an adequate level of protection for personal data. However, the Commission also indicated that it would be keeping a close eye on UK divergence from European data protection standards, and took the unique step of giving the proposed adequacy a “sunset clause” with the decision expiring in four years’ time.
In March, the European Data Protection Board discussed the draft UK adequacy decision and will now thoroughly review the draft and comment on it. It is likely that areas of comment will include the need for protection for onward transfers to third countries and the challenges brought by the UK surveillance regime.
The draft will then be submitted to member states - who can block adequacy if a qualified majority vote to do so - before a final decision by the Commission.
It is quite possible that the draft adequacy decision will be adopted by the European Commission, but any work done to understand risks and to address them will not be wasted. Any adequacy decision may be challenged, as the Schrems II case has shown, and will be subject to regular review, so having your own assessment of risk and your own measures in place will leave organisations less exposed to the need for sudden action in future and better placed to show data subjects that their right to privacy is respected.
Our view remains that working to map EU-UK data flows, exploring exposure of personal data to surveillance regimes and putting appropriate safeguards in place to minimise risk to data subjects is a prudent course of action for organisations to take.