While everything seems to be on track with the UK being granted data adequacy by the EU, it isn’t a done deal yet. If it’s decided that EU-UK data transfers won’t be allowed to continue freely, then this has the potential to disrupt a significant number of British business. With the European Data Protection Board (EDPB) recently publishing two opinions on the matter, we know more about the process at hand.
We are still waiting for the EU to make a final decision on the UK’s data adequacy, but as time goes on, we are getting closer and closer to the decision being made. Earlier in the year the European Commission started the process of granting the UK data adequacy, and up until this week, the next big step was the EDPB reviewing and reporting its findings.
The EDPB published its opinions on the 16th of April, giving us a lot of insight into what they think of the UK being granted adequacy, and there is good news and bad news…
The Good News
The EDPB has agreed with the Commission’s decision, and we have continued on the path that will eventually lead to a data adequacy agreement for the UK. They have said that UK data protection is “essentially equivalent” to the protections put in place by GDPR, covering a range of factors including grounds for lawful and fair processing for legitimate purposes and transparency as well as others.
In fact, the EDPB have said that UK data protection goes beyond the minimum requirements needed for data adequacy with a high level of protection in place. This is thanks to, in part, our data protection laws mirroring EU GDPR, what with us being a member state when GDPR was first introduced. Interestingly though, the EDPB said they don’t expect UK data protection law to continue to replicate the EU’s.
This all implies that the UK will be granted data adequacy when the final decision is made, and it’s safe to say that our current laws are ticking all the required boxes for this.
The Bad News
Unfortunately, the EDPB have expressed caution, and have highlighted to the European Commission their power to amend or repeal the adequacy agreement. Their concerns revolve around the UK potentially making changes to their data protection laws in the future, especially with regard to other nations outside of the EU.
As a result, the EDPB has welcomed the decision to include a sunset clause attached to the UK’s data adequacy decision. This sunset clause covers a period of four years, meaning that in four years’ time UK data adequacy will be automatically repealed unless an additional agreement is reached. This introduces a new layer of uncertainty for UK businesses because:
- The EDPB are flexing their ability to repeal the UK adequacy agreement
- In four years’ time we’ll have to go through this whole process again
- Data adequacy will continue to be used as a pawn in any future dealings the UK has with the EU
What comes next?
The bridging agreement (following the end of the UK transition period last year) means that EU-UK data transfers are protected until 1st May 2021, and can be further extended to 1st July 2021. But a final decision will be reached in the next few months. Unfortunately, thanks to this sunset clause, UK businesses may end up adopting alternative data transfers options regardless of the outcome as an insurance policy. These could include Standard Contractual Clauses (SCC) or Binding Corporate Agreements (BCRs).
Alternatively, a more belt and braces approach would be for them to store all of their UK data in UK-based data centres and do the same for their EU data – sometimes referred to as ‘data sovereignty’, though perhaps a more apt name for this growing trend should be ‘data nationalism’.
It’s plausible therefore, to see a scenario where the sunset clause will have the opposite desired effect of keeping the UK in lockstep with the EU. UK businesses may adopt alternative data transfer tools, making them (and the UK) less dependent on a unilateral data adequacy ruling with the EU in 2025 – thus potentially accelerating divergence in data protection rules. This divergence could be good or bad news for UK business, but we will have to wait and see.
About the author
Jack Bedell-Pearce is the co-founder and CEO of 4D. As well keeping an eye on all things data sovereignty related, Jack is also the chair of the techUK data centre council, working with other operators and the Government to ensure the UK’s data transfer network is protected. With Jack’s leadership we at 4D ensure that our services are ready to help customers who may have their data transfer systems disrupted by any changes in legislation.
If you’re interested in learning more about data sovereignty, how it could affect your business, and how a data centre could help, get in touch.