Under the General Data Protection Regulation (GDPR), the European Commission determines whether third countries provide adequate protection for personal data. The Trade and Cooperation Agreement provided a bridging mechanism, which was due to end on 30 June 2021.
Kate Brimsted, partner at Bryan Cave Leighton Paisner, said: ‘This formal recognition of the adequacy of the UK’s data protection laws is a highly significant step.
‘It will save EU businesses with UK-bound data flows―as well as their UK business partners―a considerable amount of red tape. The decision was not a forgone conclusion and objections and concerns were raised by the European Parliament during the process.’
However, she highlighted the fact the decision came with a built-in expiry date of four years.
‘As well as this, if the UK’s data policy innovations go too far for the European Commission’s liking, there is the ability to revoke the decision immediately,’ she said.
‘While this comes as a relief (if not a surprise), the UK will have to box clever when it comes to its post-Brexit liberalisation of laws, and its digital strategy-setting. The UK government’s TIGRR [Taskforce on Innovation, Growth and Regulatory Reform] report last month proposed replacing the GDPR with a “more proportionate framework”, something which sounds exactly the kind of move likely to endanger the UK’s adequacy decision, if taken up.’
Had the European Commission decision gone the other way, all those processing personal data would have been required to put in place appropriate safeguards or rely on exemptions in data protection law.
The Law Society, which has been urging members to hope for the best but prepare for the worst, welcomed the news but recommended members regularly review their contingency planning.
Law Society president I Stephanie Boyce said: ‘Though adopted, adequacy decisions are time-limited, subject to review and may even be challenged in the future especially if the UK diverges from EU regulation.’