Personal data will continue to flow unimpeded from the EU to the UK, EU member states have agreed, in a unanimous decision that will save many businesses on both sides of the Channel from spending a lot of time and money to complex legal formalities.
All 27 member states voted in favor of granting the UK an adequacy decision – a special statute that recognizes that the country’s data laws protect both personal information and the EU GDPR.
Countries that are granted adequacy status gain the right to receive and process the personal data of EU citizens, which many organizations rely on to do business.
With the UK’s departure from the EU, the country ceased to be protected by the GDPR and relies on national laws to manage citizens’ personal data. These laws had to be assessed by EU regulators to ensure they meet the bloc’s data protection standards. Without an adequacy decision, organizations would have had to design special contracts, called standard contractual clauses (CCTs), to ensure that they legally processed the data of European citizens. Economists estimate that the total cost of implementing these new contracts to ensure the legal flow of data could be as high as £ 1.6bn, with small businesses hit the hardest.
Obtaining an adequate level of protection was therefore a key element in the Brexit negotiations. Earlier this year, the European Commission released a draft document setting out the details of an adequacy decision for the UK, which determined that UK laws do provide a level of data protection equivalent to GDPR. .
The decision was approved by the European Data Protection Council (EDPB) in April and has now received the green light from member states, meaning the adequacy is on the way to being implemented. It’s no surprise that organizations and businesses in the EU and UK have welcomed the announcement.
‘A positive decision on data adequacy is a huge relief for thousands of businesses across the UK – more than half of companies polled by DMA just before Brexit said it was important to the ‘future of their business,’ says Chris Combemale, CEO of the Data and Marketing Association (DMA). “The government has estimated that without an adequacy the UK economy could lose up to £ 85 billion, so this announcement is a significant boost after a difficult year. “
The UK could reassess its level of protection
The volume of personal data that is exchanged between the UK and the EU is significant and spans virtually every industry – think legal and financial services, but also e-commerce, human resources and even healthcare. health. The Federation of European Medical Academies (FEAM), for example, has pointed out that the provision of cross-border healthcare and social services to thousands of European citizens depends on the unrestricted flow of data with the UK. Transfers of health data are also essential to advance scientific research.
While adequacy has been granted in the UK for now, however, the ruling only applies to UK data law as currently drafted. Also known as “UK GDPR”, the country’s national rules are currently modeled on European law and, as such, ensure a high level of data protection for citizens. But, should that change, the EU has made it clear that it may re-evaluate its decision and withdraw the deal.
This question could become a point of contention. Over the past few months, the UK has repeatedly indicated that it wants to take the opportunity of Brexit to deviate from the standards set by the EU’s GDPR to spur growth and innovation.
“The adequacy was received on the basis that the UK would not diverge and change the level of protection,” Estelle Massé, senior policy analyst and head of data protection at the defense organization, told Access Now digital rights. “If the UK government were to go through with it, then the entire legal system on which the EU based its adequacy determination will no longer be in place and will have to be reassessed. “
Days before EU member states voted in favor of adequacy, a government task force submitted a report to the UK Prime Minister with recommendations to reform the country’s regulatory landscape – including some changes to the GDPR British. Describing the GDPR as “outdated,” the task force called on the government to use its “new regulatory freedom” to replace the GDPR with a new UK data protection framework.
GDPR compliance can cost businesses up to 30 business days per year, the report says, posing a significant barrier to innovation and growth. To create a more business-friendly environment, the UK should implement data laws that are more proportionate and place lower compliance burdens on small organizations.
In particular, the report’s authors call for the removal of a provision in the GDPR that allows citizens to opt out of being subject to a decision based solely on an automated decision-making system – meaning that organizations must always have an alternative, human-based process to be used as an alternative. Instead, the task force suggests that automated decisions be subjected to a test to determine whether they are in the public interest, and whether they meet critical criteria for fairness and transparency.
The authors also highlight the GDPR’s restrictions on using data for purposes other than those for which it was collected, and argue that this means organizations cannot experiment with the data to understand its potential value in any way. new applications.
The coming months should reveal how far the UK wants to go in transforming its national data protection rules – and most importantly, how much leeway the EU will be prepared to grant. On both sides, warns Estelle Massé, the outcome of the strategy is still uncertain. “It is really incomprehensible to work so hard to get this match and, when we are on the verge of obtaining it, to indicate to the EU that it could change,” she notes. “It’s a really tough diplomatic game – almost like the UK is testing the limits of the EU.”