New Year (Adequacy) Resolutions…..A Brexit Update
This blog post gives an update on data transfers between the UK and the EU post-Brexit, and adequacy decisions. (Please note, this article was published in January 2020 and is based on information available at that time.)
As is traditional at this time of year, declarations and plans for the future are made…the EU Commission is no exception to this.
On 10th January 2020, the Council Working Party (Article 50) published slides for presentational and information purposes concerning the topic of the “ruling of adequacy” to make the UK a safe place to transfer Personal Data once the UK leaves the European Union (EU). Whilst the UK Government have been stating their intent to request such a ruling for some time, this clarification and outline of the process will come as a relief to businesses within the UK that rely on free transfers of data, for example, those in the telecoms, technology, and financial services industries.
In summary, if the UK withdraws from the EU with agreement on 31st January 2020 there will follow an 11-month transition period which will allow for:
Adoption of negotiating directives;
Conduct of negotiations;
Signature/conclusion and entry into force of future agreement by 1st January 2021
In other words, the assessment of the UK privacy framework will commence with a view to providing an adequacy decision under the General Data Protection Regulation (GDPR) by the end of 2020.
The slides presented set out the steps to adopt the adequacy decision:
Assessment by the Commission, in close cooperation with the UK
Draft Commission decision (Implementing Act)
Opinion by European Data Protection Board
Comitology: vote by Member States (qualified majority) in the Standing Committee
Adoption by the College
At the same time as this negotiation, the UK has also committed to ratify data transfers to the EU from the UK as “safe”.
Of course, there is still a risk that the ruling of adequacy may falter: the UK may not achieve its goals during the 11-month transition period and be left with a “no-deal” scenario. If that were to occur, UK businesses would need to enter into standard contractual clauses with their EU-based counterparts to evidence “safe” transfers: one way or another data transfers will occur in line with GDPR requirements.
To conclude, the information presented by the Council Working Party (Article 50) is good news. With a ruling of adequacy in place, businesses will not have to enter into administratively burdensome standard contractual clauses and can instead rely on the ruling which preserves the status quo i.e. the free flow of personal data between the UK and the EU.
Release Date: January 29, 2020
Caroline Smith
Caroline is a UK qualified lawyer with over 18 years’ experience and currently serves as HireRight’s Deputy General Counsel for the EMEA and APAC regions. When not “lawyering” or writing blogs, Caroline can be found striking yoga poses in remote locations such as Mongolia and Bhutan.