Almost five years to the day from when the Brexit vote took place, the questions around U.K. adequacy have been laid to rest, at least for now.
The European Commission announced it officially adopted a pair of adequacy decisions for the U.K., one for the EU General Data Protection Regulation and another for the Law Enforcement Directive. The announcement comes just days before the "bridging mechanism" for data transfers between the EU and U.K. was set to expire.
"The U.K. has left the EU but today its legal regime of protecting personal data is as it was," European Commission Vice President for Values and Transparency Věra Jourová said in a statement. "Because of this, we are adopting these adequacy decisions today. At the same time, we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the U.K.'s privacy framework."
"After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the U.K.," European Union Justice Commissioner Didier Reynders said in a statement. "This is an essential component of our new relationship with the U.K."
The European Commission found the U.K.'s data protection system continued to adhere to the same rules that were applicable when it was an EU member state, as it had "fully incorporated" the principles, rights and obligations of the GDPR and Law Enforcement Directive into its post-Brexit legal system. The commission also noted the U.K. system provides "strong safeguards" in regards to how it handles personal data access by public authorities, particularly for issues of national security.
While momentum had been building toward U.K. adequacy for some time now, that did not mean the process was going to conclude without a new wrinkle or two.
For the first time, an adequacy decision has an official time limit. The commission included a "sunset clause" for U.K. adequacy. The decisions are set to automatically expire four years after they go into effect. The U.K. can have their adequacy status renewed as long as it maintains an adequate level of data protection.
Should the U.K. deviate too far from the level of protection it currently has in place, the commission has the right to intervene.
The adequacy decisions also reflect more recent developments as well. Data transfers made for the purpose of U.K. immigration control are excluded from the scope of the decision adopted under the GDPR. This comes after a ruling earlier this month from the U.K. Court of Appeals, which deemed the government's "immigration exemption" in the Data Protection Act 2018 unlawful.
In response to the commission's announcement, the U.K. government welcomed the adequacy decisions. In a press release, the U.K. Department for Digital, Culture, Media & Sport said the government "plans to promote the free flow of personal data globally and across borders, including through ambitious new trade deals and through new data adequacy agreements with some of the fastest growing economies, while ensuring people’s data continues to be protected to a high standard."
U.K. Information Commissioner Elizabeth Denham was also pleased by the commission's decisions.
"Approved adequacy means that businesses can continue to receive data from the EU without having to make any changes to their data protection practices," Denham said in a statement. "Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently."
EU and U.K. officials are likely not the only ones who will be happy to have an adequacy decision in the books, given the already rocky terrain around data transfers.
"That sense of relief will likely be shared by data exporters based in the EU who otherwise would have needed to implement data transfer mechanisms, such as standard contractual clauses, and 'Schrems II' supplementary measures before they could transfer personal data to the UK," said Promontory Senior Principal John Bowman, CIPP/E, CIPM, FIP, who formerly worked at the U.K. Ministry of Justice as the government's lead negotiator on the GDPR.
The questions around U.K. adequacy have been stirring for years since the Brexit vote took place June 2016, and while some may be breathing a sigh of relief, the story is far from over. Politico reports the U.K. adequacy decisions will likely be scrutinized over the coming months and years, and those who oppose the decisions may feel emboldened by the Court of Justice of the European Union's "Schrems II" ruling last year.
The sunset clause also means U.K. adequacy will be revisited in four years regardless of whether any campaign is successful, with the specter of the commission looming overhead should the U.K.'s practices fall out of line.
"So rather than being a conclusion to these negotiations, these decisions mark the transition to a process to keep (the) U.K.’s performance in data protection policy and implementation under close review," said Bowman. "It is therefore unlikely that the decisions will simply be filed away and then dusted off in 2025 to be reapproved on the nod. Instead, all eyes will be on where the U.K. goes next with its data protection policy, and whether an essentially equivalent level of protection for EU data subjects can be maintained."
But for now, both the EU and U.K. seem to be happy to have avoided any interruptions to their data transfers.