After years of uncertainty in the wake of the U.K.'s vote in 2016 to leave the EU, there are finally sign posts for privacy pros to look to as both regions aim to secure cross-border data transfers through U.K. adequacy. In a massive trade agreement signed last Christmas Eve, both regions secured a temporary transfer period that provides the U.K. government and European Commission time to complete an adequacy agreement. 

But, of course, the clock is ticking. 

"We don't see why the U.K. shouldn't get adequacy and promptly," U.K. Department for Digital, Culture, Media & Sport Head of U.K. International Transfer Regime Joe Jones said in a LinkedIn Live panel event hosted by the IAPP. "It's in the U.K.'s and EU's interests that it happens as soon as possible. The free flow of data is important to both regions." 

Jones' counterpart in the European Commission, Bruno Gencarelli, who also took part in Wednesday's discussion, indicated the process for U.K. adequacy is moving forward at this very moment. "Our intention is to launch the decision in the coming weeks," Gencarelli said, though, he pointed out the decision "is not completely in our hands." 

As part of the proceedings, the commission will share the draft decisions (one for the EU General Data Protection Regulation, the other for the Law Enforcement Directive) with the European Data Protection Board — the group of 27 EU data protection authorities. Once the EDPB issues its opinion, it then goes through the EU's comitology procedure. Gencarelli explained this means the draft decision would go to representatives from the 27 member state governments for majority approval. Finally, an approved decision would then go to the College of Commissioners of the European Commission

Keep in mind, this must all be done during the so-called "bridging mechanism" laid out in the U.K. Trade Agreement that was signed last Dec. 24. Gencarelli assured the commission's intention is to complete the decision during the bridging period. 

Both Gencarelli and Jones also highlighted one novel aspect of the Trade Agreement: It rules out data localization. "The U.K. and EU have done that for the first time in the history of trade agreements. At the same time, the U.K. and EU can enjoy regulatory autonomy in data protection provided that the system contains transfer mechanisms. That's a very interesting way of dividing genuine data protection and digital protectionism. It's an important achievement and sets an interesting precedent for other trade agreements." 

Considering that transborder data flows are a two-way street, Jones confirmed the U.K. has formally approved the adequacy of the EU and all 12 nations deemed adequate by the EU. 

Jones also expressed optimism for the U.K.'s adequacy prospects, and more broadly, on its role as a world leader in data protection standards. "It's worth recalling," he said, "that there has not ever been a third country whose data protection standards have been so close to the EU." He highlighted the U.K. government's already published National Data Strategy. "We want our data protection laws to remain fit for purpose and to keep up with technological change. We know that regulatory certainty allows businesses to thrive. We will continue to have high standards, but now (once the bridging period ends) the U.K. controls its own laws and regulations." He also gave a nod to some of the more pragmatic and cultural aspects of data protection, noting, "When we undertake adequacy assessments, it's very important that we consider privacy on the ground, as well as privacy on the books." 

Wednesday's moderator, Jetty Tielemans, who is a longtime attorney with Covington Burling and a recently appointed senior Westin fellow at the IAPP, brought up another confusing issue stemming from Brexit: Are relevant controllers and processors that are not located in either region but do target EU or U.K. citizens required to install representatives under Article 27 of the GDPR?

Gencarelli made it clear that EU law — the GDPR — whether during the bridging period or not, still applies. "Neither the bridging period nor a future adequacy decision does away with the other requirements of the GDPR. The same goes for other adequate nations," he said, "including Japan, for example. If subject to the GDPR, I have to appoint a representative notwithstanding an adequacy decision to satisfy the provisions of the GDPR." 

Jones also addressed questions about the fate of EU citizen data processed in the U.K. prior to Brexit. He said the Trade Agreement covers this, noting that data processed prior to Dec. 31, 2020, will remain under the scope of the GDPR until the U.K. reaches an adequacy decision with the EU. Then, such data will be subject to U.K. law. 

Significantly, Gencarelli also addressed another big issue on top of mind: the update to standard contractual clauses and fate of the EU-U.S. Privacy Shield talks. 

On SCCs, he was clear that the timeline for adoption is "around March." He said there was been a good and rich consultation with the EDPB on the matter. 

He was also optimistic about the Shield talks. "There's a strong willingness (on both sides) to address the issue," Gencarelli said. He pointed out that the first question asked of the incoming U.S. secretary of commerce by the U.S. Senate was on Privacy Shield. He said in the meantime there will be exploratory talks and they will map various solutions. 

"We are very happy to see that the U.S. wants to engage on this," Gencarelli said. "We will intensify our work and contacts with the U.S." Though, he said, there will be "no quick fix and no shortcuts." 

From a global scope, both Gencarelli and Jones had slightly different takes. Jones noted the state of play now is different than it was five or ten years ago. "It's important to embrace that different countries will take different approaches to privacy," which reflects its cultures, traditions, norms and institutions. "They might still have high data protection standards but may achieve those through different ways." 

Gencarelli underpinned the importance of "convergence." Unlike "interoperability" or "identity," convergence, he said, "brings us together even with different means. ... We're seeing this around the world, from California to Japan and Brazil." Ultimately, there will be a need to promote data transfers around the world.