The UK government has welcomed the European Commission’s draft data adequacy decisions, which set out that the UK should be found ‘adequate’.
In a statement the government notes that as the UK’s data protection system is currently the same as the EU’s, “it is logical that the Commission should find the UK ‘adequate’.”
The EU already recognises other countries around the world as adequate including Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay, and the UK freely exchanges data with these countries.
Positive data adequacy decisions under both the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) would allow for personal data to continue to flow freely from the European Union (EU) and wider European Economic Area (EEA) to the UK, it added.
Technical confirmation of the draft adequacy decisions will help make sure UK organisations can continue to receive personal data from the EU and EEA without additional compliance costs. This ensures they will avoid potential knock-on effects for consumers and boost UK start-ups and smaller firms which operate in EU markets and sell to EU customers.
The UK formally provided the Commission with explanatory material nearly a year ago at the start of the adequacy assessment in March 2020. The UK has already recognised the EU and EEA member states as ‘adequate’, as part of its commitment to establish a smooth transition for the UK’s departure from the bloc and manage data flows on an objective basis.
Since then, UK officials led by the Department for Digital, Culture, Media and Sport (DCMS) have held a series of discussions with their European Commission counterparts to reiterate help meet the UK’s legal and regulatory framework and that the country meets the EU’s data adequacy requirements.
The draft decisions published by the Commission will now be shared with the European Data Protection Board for a ‘non-binding opinion’, before being presented to EU member states for formal approval.
You might also like
The government said the UK made its representations to the EU “in a timely manner” but the Commission did not finalise draft decisions in time to complete the adoption process by the end of the transition period. For this reason, as part of the UK/EU Trade and Cooperation Agreement, a time-limited ‘bridging mechanism’ for personal data flows was agreed. This currently allows personal data to continue to flow as it did before the end of the Brexit transition period for up to six months, while the EU completes the adequacy process.
The UK government said it wants the EU to swiftly complete this technical process for adopting and formalising these adequacy decisions as early as possible.
“I welcome the publication of these draft decisions which rightly reflect the UK’s commitment to high data protection standards and pave the way for their formal approval,” said Secretary of State for Digital, Oliver Dowden.
“Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework.
“I now urge the EU to fulfil their commitment to complete the technical approval process promptly, so businesses and organisations on both sides can seize the clear benefits.”
“The European Commission’s decisions that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR reflects the UK’s high data protection standards,” added Julian David, CEO of techUK.
“Today’s decision is warmly welcomed by the tech sector which has been making clear the importance of a mutual data adequacy agreement since the day after the referendum.
“Receiving data adequacy, alongside the EU-UK Trade and Cooperation Agreement, will set a solid foundation for digital trade with the EU, including strong non-discrimination clauses and positive data flows provisions, that will give businesses the confidence to invest.”