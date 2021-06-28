UK digital businesses could breathe a sigh of relief today as the European Commission formally signed on data adequacy for the (now) third country, after Brexit.

It’s a big deal for businesses in the UK as it means the country will be handled by Brussels as it has essentially equivalent data protection rules like markets within the bloc, despite no longer being a member itself – enabling it to personal data continue to flow freely from the EU to the UK, and avoiding any new legal barriers.

Granting adequacy status has all been safe in recent weeks, as European Union Member States signed a draft adequacy adjustment. But the adoption of the decision by the Commission marks the last step in the process – at least for now.

It is obvious that the Commission PR includes a clear warning that if the UK seeks to weaken the protection provided to people’s data under the current regime it “will intervene”.

In a statement, Vra Jourov, VP Commission on Values ​​and Transparency, said:

The UK has left the EU but today its legal regime of personal data protection is as it was. Because of this, we are adopting these eligibility decisions today. At the same time, we have listened very carefully to the concerns expressed by Parliament, Member States and the European Data Protection Board, in particular regarding the possibility of future divergence from our standards in the UK privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. That is why we have considerable safeguards and if anything changes on the UK side, we will intervene. “

The UK sufficiency decision comes with a Damocles Sword baked in: A four-year sunset clause. That’s the first thing – congratulations, congratulations to the UK government on projecting a perception of itself as unbelievable in the short term.

This clause means that the UK regime will face full scrutiny back in 2025, with no automatic renewal if its standards are deemed to have slipped (so much so that they fear they will).

The Commission also points out that its decision does not mean that the UK has four years’ clearly ‘guaranteed’. On the contrary, he says he will “continue to monitor the legal situation in the UK and can intervene at any time if the UK deviates from the current level of protection in the country”.

Third countries without a sufficiency agreement – such as the US, which have eligibility twice hit by the European Supreme Court (after finding that US oversight law was incompatible with fundamental rights do not enjoy ‘quiet’ legal certainty about the flow of personal data; and should instead take steps to evaluate each of these transfers individually to determine if (and how) they can move data legally.

Last week, the European Data Protection Board (EDPB) issued the latest guidelines for third countries wishing to transfer personal data outside the blockchain. And the tips make it clear that some types of transfers are unlikely to be possible.

For other types of transfers, the councils discuss a number of additional measures (including technical steps such as strong encryption) that may be available for use by a data controller so that, through their technical efforts, contractual and organizational, raise the level of protection to achieve the required standard.

In short, it’s a lot of work. And without today’s eligibility decision, UK businesses would have to be familiar with EDPB guidelines. For now, however, they have avoided that bullet.

The qualifier is still very much needed because the UK government has signaled that it intends to rethink data protection.

Exactly how this happens – and to what extent the current ‘substantially equivalent’ regime changes – can make all the difference. For example, the digital minister Oliver Dowden has said the data is “a great opportunity” for the UK, after Brexit.

And writing in the FT back in February, he suggested there would be room for the UK to rewrite its national data protection rules without shifting so much as to jeopardize compatibility. “We aim to fully adhere to those world-class standards. But to do that, we do not need to copy and paste the EU rules book, the General Data Protection Regulation, literally, “he later suggested, adding:” Different countries like Israel and Uruguay have successfully secured compatibility with Brussels despite having their own data regimes. Not all were identical with the GDPR, but equality should not mean the same thing. The EU does not have a monopoly on data protection. “

The devil, as they say, will be in the details. For some early signals are disturbing – and the initial UK ecosystem would be well advised to take an active role in impressing the government on the importance of staying in line with European data standards.

Furthermore, there is also the prospect of a legal challenge to the eligibility decision – even as it is, ie based on current UK standards (which find quite critical) Certainly can not be ruled out – and CJEU has not avoided breaking other sufficiency arrangements that it deemed invalid

Note that reaching this stage was completely predictable; it was never the extended Compliance Data Transfer Commission that would take the case law of the ECHR seriously. Only the Court can the ‘guardian of the Treaties’ has long since left the building. The saga continues. – Michael Veale (@mikarv) June 28, 2021

Today, however, the Department for Digital, Media, Culture and Sports (DCMS) took the opportunity to celebrate a PR victory, writing that the Commission’s decision “rightly recognizes the country’s high standards of data protection”.

The department also reiterated the UK government’s intention to “promote the free flow of personal data globally and across borders”, including through what it bills as “ambitious new trade agreements” and through new data adequacy agreements with some from the fastest growing economies “- while claiming it would do so” while ensuring that people’s data continues to be protected to a high standard “. Pinky Promise.

“All future decisions will be based on what maximizes innovation and keeps up with technology development,” DCMS added in a press release. “As such, the approach of governments will seek to minimize the burden on organizations seeking to use data to address some of the most pressing global issues, including climate change and disease prevention.”

In a statement, Dowden also made a point of combining the two streams, saying: “We will now focus on unlocking the power of data to drive innovation and grow the economy by making sure we protect security and privacy. of people”

Business and technology associations in the UK were just as quick to welcome the Commission’s decision on eligibility. The alternative of course would be very costly disruption.

In a statement, John Foster, policy director for the Confederation of British Industry, said: “This progress in the EU-UK sufficiency decision will be welcomed by businesses across the country. Free data flow is the foundation of the modern and essential economy for firms in all sectors, from automotive to logistics – playing an important role in the day-to-day trade of goods and services. This positive step will help us move forward as we develop a new trade relationship with the EU.

In another supporting statement, Julian David, CEO of techUK, added: Ensuring an EU-UK sufficiency decision has been a key priority for techUK and the wider technology industry since the day after the 2016 referendum. data center offers an equivalent level of protection against the EU GDPR is a vote of confidence in the UK’s high standards of data protection and is vital for UK-EU trade as the circulation of Free data is essential for all business sectors.

The data adequacy decision also provides a basis for the UK and EU to work together on global avenues for free data flow with confidence, relying on the G7 Digital and Technology declaration and possibly unlocking 2TR growth . The UK should also now move towards completing the development of its international data transfer regime in order to allow UK companies not only to exchange data with the EU, but also to be able to afford in all the world.

The Commission has currently adopted two UK sufficiency decisions today – one under the General Data Protection Regulation (GDPR) and another for the Law Enforcement Directive.

Discussing key elements in its decision to grant eligibility to the UK, EU lawmakers emphasized the fact that the (current) UK system is based on transposed European rules; that access to personal data by UK public authorities (such as for reasons of national security) takes place under a framework that calls it “strong protection” (such as eavesdropping subject to prior authorization by a independent judiciary; measures that need to be necessary and proportionate; and redress mechanisms for those who believe they are subject to illegal oversight).

The Commission also noted that the UK is subject to the jurisdiction of the European Court of Human Rights; must adhere to toEuropean Convention on Human Rights; AND Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data – aka “the only binding international treaty in the field of data protection”.

“These international commitments are an essential element of the legal framework assessed in the two sufficiency decisions,” the Commission notes.

Data transfers for UK immigration control purposes have been excluded from the scope of the eligibility decision adopted under the GDPR – with the Commission saying that “in order to reflect a recent judgment of the Court of Appeal of England and Wales on the validity and interpretation of some restrictions of data protection rights in this field ”.

“The commission will re-evaluate the need for this exemption once the situation is regulated under UK law,” he added.

So again, there’s another warning right there.