On 21 June 2021, the United Kingdom and the European Council signed a post-Brexit data adequacy deal to ensure data transfers could continue between the EU and the UK.
Following the UK’s official withdrawal from the EU on 1 January 2021, the two blocs agreed to temporarily keep existing data transfer arrangements in place, while negotiating a permanent adequacy solution (i.e. the EU agreeing a country can be in its data sharing club). The recently signed agreement will enable the UK to keep its existing data adequacy agreement in place, while also approving the UK’s data protection system and protocols for the transfer of personal data from Europe.
When it comes to Brexit, media outlets and commentators have always been more focused on the ways that the UK’s withdrawal from the EU would affect how people travel and businesses trade. Little to no attention has been given to what Brexit would mean for data protection, yet it’s always been an area of key importance. So, what does this latest agreement mean for data management?
The big deal with data
When the General Data Protection Regulation (GDPR) came into effect across the EU member states on 25 May 2018, it was the most ambitious piece of data regulation ever passed by the European Union. New rules were introduced relating to the way personal data was collected and processed, improving the protection of European data subjects’ rights, while also clarifying what companies that process personal data would have to do to safeguard these rights.
In short, all businesses dealing with data relating to EU citizens would have to ensure they were GDPR-compliant and the rules applied across all members of the European Union. Now that the UK has left the EU, continued compliance with GDPR has recently been an important factor in the data adequacy discussion.
The quest for alignment
Even with the UK leaving the EU, data transfers between the two are such an integral part of so many UK businesses that the free flow of personal data should be maintained.
Back in 2018, in preparation for the end of the transition period on 31 December 2020, the UK Government enacted a new data protection act called the DPA 2018. This act was designed to sit alongside and supplement something called the ‘UK GDPR’, ostensibly a copy/paste of the European version. The theory was that copying the EU GDPR (initially, at least) would harmonise the data privacy rules between the UK and the EU and make the path to ‘adequacy’ somewhat more straightforward.
This wasn’t a given though, as a ‘data adequacy’ ruling requires the seal of approval from the European Commission first. Unfortunately, it’s not enough for a country to just mimic the data privacy rules of the EU, it needs to demonstrate it’s enforcing them properly and that there aren’t any other laws that contradict the GDPR. It’s a legal and bureaucratic minefield.
The risks of divergence
While a data adequacy agreement has been reached to ensure the continued free flow of data between the UK and the EU, the deal could prove temporary should the UK choose to veer too far from the principles of GDPR in its ambition to become a global leader in the tech space.
After all, it wasn’t long ago that the European Data Protection Board (EDPB) voiced concerns revolving around the UK’s ability to potentially make changes to its data protection laws in the future, especially concerning other nations outside of the EU. This means that in theory, over time, the UK could diverge from the EU GDPR if it doesn’t agree with new rules or regulations.
Divergence has its pros and cons: on the one hand, it could mean simpler, more streamlined rules for the UK to follow in the future; on the other hand, if the UK deviates too far from the original GDPR guidelines, the EU may decide the UK is ‘non-adequate’ and restrict the free flow of personal data. The potentially disruptive effect this could have on a significant number of British businesses cannot be overlooked.
The challenge ahead
It’s important to understand that adequacy is not set in stone and it can be revoked at any time, especially if the UK takes too many liberties in reinterpreting and redefining guidelines when it comes to international transfers of data. As a result, the UK needs to pull off a delicate balancing act in the years ahead.
However, it’s looking like it won’t be met without resistance from some quarters within the UK government. The Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) has been particularly vocal about GDPR’s position on data collection, which needs to be for specified, explicit and legitimate purposes, as well as adequate, relevant and limited to what is necessary. TIGRR’s view is that these restrictions could prove detrimental to the growth of AI, as they limit companies in what they’re able to achieve with limited access to new data. It’s likely this won’t be the last disagreement between the two blocs.
These differences of opinion will likely cause concern to UK companies that depend on being able to access EU personal data. For this reason, it’s in the best interest of business owners to maintain a close watch on developments between the UK and EU in the months ahead when it comes to the management of data. Adequacy may have been achieved for now but, as we’ve established, its long-term status is all but guaranteed.