EU set to grant UK data adequacy status

The European Union (EU) is set to allow data to flow freely from its territories to the UK after finding that it has comparable data protection laws in place.

This decision, which has been drafted by the European Commission, should be approved imminently, according to the Financial Times (FT), and will prove a huge relief for businesses nervous about the potential disruption to data flows.

Withdrawal from the EU relegated the UK to ‘third country’ status, meaning that data transfers from the EU to the UK would be blocked by default. Only a formal adequacy agreement, which deems the UK as a secure third country, could restore flows.

As part of post-Brexit agreements, however, the EU and the UK arranged a six-month continuity period specifically to allow for time to consider the UK’s data adequacy status.

This agreement, expected to be announced this week, will be continuously reviewed by the EU and will be subject to legal challenges at the European Court of Justice, however.

This means that while the UK’s laws are deemed to be comparable to the EU’s at present, there are no guarantees it’ll retain this status in future should it tweak its laws and strike arrangements with other countries.

Global director of privacy at Veritas Technologies, Mark Keddie, branded this a welcome step for businesses looking to manage their data across the UK and Europe.

“However,” he continued, “we would advise organisations not to become complacent as this stay of execution could be short-lived.

“As with previous similar agreements, most recently the EU–US Privacy Shield and its predecessor Safe Harbor before, there is a distinct possibility that a Privacy NGO will in the near future bring a legal challenge in the European Court seeking to invalidate any UK data adequacy finding.

“Those businesses that stay focused on maintaining robust data privacy controls and good data hygiene practices will be best suited to manage any future data shocks as the EU-UK relationship develops.”

Keddie was referring to the primary data transfer mechanism between the EU and the US, dubbed Privacy Shield, which was invalidated last year by the European Court of Justice, which deemed it incompatible with GDPR.

Privacy Shield, which was a replacement for the invalidated Safe Harbour Principles, was introduced in 2016 to solve the problem of sending data from the EU to the US given the latter’s relatively invasive surveillance laws.

European figures have hinted that the UK may risk not being granted data adequacy, or losing this status once it has been attained, should it pursue data transfer arrangements with the US. Terms of any agreement between the two nations, subject to examination, may not be compatible with GDPR, the European Data Protection Board (EDPB) warned last year.

The EU’s data adequacy agreement will be reviewed every four years, according to the FT, to ensure it doesn’t compromise the privacy of EU citizens, and will also allow for data transfers on law enforcement matters.