UK and Ireland data transfers: ‘adequacy’ is not the end of the matter

SME Comply explain the European Commission’s latest adequacy update for Chamber members.

The European Commission (EC) published a draft UK adequacy decision on the 19 of February 2021, which will come as a huge relief for businesses across all industries in the EU and the UK.

Under the terms of the EU and UK trade and cooperation agreement, data transfers were of course permitted to remain unrestricted following the Brexit transition period for a period of four months from the 1st of January 2021, extendable by further two months to the 01 July 2021 until alternative measures, such as the adequacy decision, could be agreed for EU transfers to the UK. NB The UK Government had already confirmed that transfers from the UK to the EU could continue in any event.

When deciding whether or not to grant an adequacy decision, the EC must determine whether the third country in question (United Kingdom) guarantees a level of protection which is “essentially equivalent” (not identical) to the providers in the EU.  There are concerns surrounding the UK’s surveillance laws which may lead to legal challenges further down the line. However these same surveillance laws have been UK domestic law for a number of years alongside the GDPR, so any challenge in the coming months will be interesting.

In terms of the draft adequacy decision, this will now be reviewed by the European Data Protection Board (EDPB), and then submitted to the committee comprising of a representative from each EU member state to provide a formal opinion (by way of vote). If adopted, the adequacy decision will be in force for four years, after which it may be renewed if the level of protection remains adequate. If the UK are deemed ‘inadequate’ then certainly EU businesses will need to look at alternative data transfer mechanisms, such as Standard Contractual Clause’s (SCC’s) as a minimum.

What do UK and Irish businesses need to do?

For UK businesses, the end of the Brexit transition period has meant that the UK data protection regime is governed by the UK GDPR and the Data Protection Act 2018, which contain almost identical provisions to the EU GDPR.  Indeed many businesses may now find themselves subject to dual regulatory regimes , both the EU GDPR and UK GDPR.

Furthermore, a favourable adequacy decision is not a passport to ‘continue as normal’.  Additional compliance measures may need to undertaken, irrespective of the decision, such as the appointment of:

  1. An EU representative (if the UK business offer goods or services to the Irish or wider EU market or monitor individuals in the EU, for example by way of placing cookies or behavioural advertising) and do not have an establishment in the EU; or
  2. A UK representative (if the Irish or EU business continues to offer goods or services to the UK market or monitor individuals in the UK, for example by way of placing cookies or behavioural advertising) and do not have an establishment in the UK.

In addition to this requirement, UK companies will need to establish which EU country will be their lead supervisory authority, considering the Information Commissioners Office (ICO – the UK’s supervising authority) is no longer part of the GDPR supervising authority ‘bloc’. Many UK companies are opting to designate Ireland as their lead supervising authority as it is the only other English speaking country in the EU. However EDPB guidance suggests that businesses should have customers in the designated country.

Finally, if adequacy is adopted, businesses will need to revisit their privacy policies to update their mechanism for transferring personal data to and from the UK to make reference to the adequacy decision, if granted.

SME Comply Director, Gary O’Reilly, says: “Many organisations I have spoken to were of the view that they would not need to appoint an EU or UK Representative if an EU adequacy decision was made in favour of the UK.  They are unfortunately incorrect. The adequacy decision relates to data flows to and from the UK only. Other GDPR obligations still need to be complied with.  It’s not too late to get your organisation up-to-speed with GDPR Compliance and other data protection laws both in the UK and the EU. The SME Comply team can support your business through the transition and ensure you’re compliant in the UK and the EU.”

If you require any support with your EU and UK GDPR, compliance or data protection obligations, including our EU and UK representative service, please contact Gary on 01386 291011, email info@smecomply.co.uk or go to: smecomply.co.uk to learn more | Facebook | Twitter | LinkedIn.