UK gets deal on EU data feeds – so far – TechCrunch
UK digital businesses can breathe a sigh of relief today as the European Commission officially approved the data suitability for the (now) third country, post-Brexit.
This is a big deal for UK businesses, as it means the country will be treated by Brussels as having data protection rules that are essentially equivalent to those in the markets within the bloc, although it is no longer itself. member – allowing personal data to continue to flow freely from the EU. to the United Kingdom and avoiding any new legal barriers.
The granting of adequacy status has been virtually assured in recent weeks, after European Union member states approved a draft adequacy agreement. But the adoption of the decision by the Commission marks the last step in the process, at least for now.
It should be noted that the Commission RP includes a clear warning that if the UK seeks to weaken protections for personal data under the current regime, it will ‘step in’.
In a statement, Věra Jourová, Vice-President of the Commission for Values and Transparency, said:
The UK left the EU, but today its legal regime for the protection of personal data is the same. For this reason, today we are adopting these adequacy decisions. At the same time, we have listened very carefully to the concerns expressed by Parliament, Member States and the European Data Protection Board, in particular on the possibility of a future divergence from our standards in the context of the UK privacy protection. We are talking here about a fundamental right of EU citizens which we have a duty to protect. This is why we have important guarantees and if anything changes on the British side, we will intervene.
The UK’s adequacy decision comes with a sword of Damocles: a four-year sunset clause. This is a first – so, uh, kudos to the UK government for projecting a perception of itself as untrustworthy in the short term.
The clause means the UK regime will come under scrutiny again in 2025, without automatic prosecution if its standards are deemed to have slipped (as many fear).
The Commission also points out that its decision does not mean that the UK has four years ‘guaranteed’ in clear. On the contrary, he says he “will continue to monitor the legal situation in the UK and could intervene at any time if the UK deviates from the level of protection currently in place”.
Third countries without an adequacy agreement – such as the United States, whose adequacy has been overturned twice by the highest European court (after finding that the US surveillance law is incompatible with the fundamental rights of the ‘EU) – do not enjoy’ transparent ‘legal certainty regarding personal data flows, and must instead take steps to assess each of these transfers individually to determine if (and how) they can move data legally.
Last week, the European Data Protection Board (EDPB) released its latest guidance for third countries wishing to transfer personal data outside of the bloc. And the advice makes it clear that certain types of transfers are unlikely to be possible.
For other types of transfers, the notice addresses a number of additional measures (including technical steps such as strong encryption) that a controller can use in order, through their own efforts technical, contractual and organizational, to increase the level of protection to reach the required standard.
In short, it is a lot of work. And without today’s adequacy decision, UK companies should have familiarized themselves with the EDPB guidelines. For now, however, they have dodged that bullet.
The qualifier is still very much needed, however, as the UK government has signaled its intention to rethink data protection.
How exactly this happens – and to what extent does it change the current “essentially equivalent” regime – can make all the difference. For example, the minister of digital Oliver Dowden said the data was “a great opportunity” for the UK, after Brexit.
And writing in the FT in February, he suggested that the UK would have the option of rewriting its national data protection rules without deviating too much to the point of endangering adequacy.
“We fully intend to maintain these world class standards. But in order to do that, we don’t need to copy and paste the EU regulation, the General Data Protection Regulation, word for word, ”he then suggested, adding that:“ From countries as diverse as Israel and Uruguay have managed to match Brussels despite their own data regimes. Not all of them were the same as GDPR, but equal doesn’t necessarily mean the same. The EU does not have a monopoly on data protection.
The devil will be, as they say, in detail. But some the first signs are worrying – and the UK startup ecosystem would be well advised to take an active role in educating government on the importance of staying aligned with European data standards.
In addition, there is also the prospect of a legal challenge to the adequacy decision – even as it stands, i.e. on the basis of current UK standards (which find a lot of criticism). This certainly cannot be ruled out – and the CJEU has not hesitated to overturn other adequacy provisions that it has found invalid …
Today, however, the Department of Digital Media, Culture and Sports (DCMS) seized the opportunity to celebrate a public relations victory, writing that the Commission’s decision “rightly recognizes the standards high data protection standards of the country ”.
The ministry also reiterated the UK government’s intention to “promote the free flow of personal data globally and across borders”, including through what it describes as “ambitious new trade deals and new business deals. ‘data fit with some of the fastest growing economies’ – simultaneously saying it would do so “while ensuring that people’s data continues to be protected at a high standard”. Small promise.
“All future decisions will be based on what maximizes innovation and keeps pace with changing technology,” DCMS added in a press release. “As such, the government’s approach will seek to minimize the burdens on organizations seeking to use data to tackle some of the world’s most pressing problems, including climate change and disease prevention.”
In a statement, Dowden was also keen to combine the two streams, saying: “We will now focus on unlocking the power of data to spur innovation and boost the economy while ensuring security and privacy are protected. people.”
UK trade and technology associations were equally quick to welcome the Commission’s adequacy decision. The alternative would of course have been a very expensive disruption.
In a statement, John Foster, policy director of the Confederation of British Industry, said: “This breakthrough in the EU-UK adequacy decision will be welcomed by businesses across the country. The free flow of data is the foundation of the modern economy and essential for businesses in all sectors – from automotive to logistics – playing an important role in the daily trade of goods and services. This positive step will help us move forward as we develop a new trade relationship with the EU. “
In a further supporting statement Julian David, CEO of techUK, added: “Obtaining an EU-UK adequacy decision has been a top priority for techUK and the wider tech industry. since the day after the 2016 referendum. The ruling that the UK’s data protection regime offers a level of protection equivalent to the EU’s GDPR is a vote of confidence in the UK’s high data protection standards United Kingdom and is of vital importance for trade between the UK and the EU, as the free flow of data is essential for all. activity area.
‘The data adequacy decision also provides a basis for the UK and the EU to work together on global roads for the free flow of data with confidence, building on the G7 digital statement and technology and possibly unlocking 2TR € of growth. The UK also now needs to complete the development of its own international data transfer regime to enable UK businesses not only to exchange data with the EU, but also to access opportunities across the world. “
The Commission has in fact adopted today two adequacy decisions in the UK, one under the General Data Protection Regulation (GDPR) and the other for the Enforcement Directive. .
Discussing the key elements of his decision to grant adequacy to the UK, EU lawmakers underlined that the UK’s (current) system is based on transposed EU rules; that access to personal data by public authorities in the UK (eg for national security reasons) is done within a framework which has what he termed “strong safeguards” (such as interceptions being subject to prior authorization from an independent judicial body; measures that must be necessary and proportionate, and redress mechanisms for those who believe they are under unlawful surveillance).
The Commission also noted that the UK is subject to the jurisdiction of the European Court of Human Rights; must join to the European convention of human rights ; and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data – alias “the only binding international treaty in the field of data protection”.
“These international commitments are an essential element of the legal framework assessed in the two adequacy decisions”, notes the Commission.
Data transfers for the purposes of immigration control in the UK have been excluded from the scope of the adequacy decision adopted under the GDPR – with the Commission declaring that ‘in order to reflect a recent judgment of the Court appeal from England and Wales on the validity and interpretation of certain restrictions on data protection rights in this area ”.
“The Commission will reassess the need for this exclusion once the situation has been corrected under UK law,” he added.
So, again, there is another caveat there.