In a move that has been welcomed across industry, the UK has been granted data protection adequacy status under Article 45(3) of the GDPR, approving the continued flow of personal data into the UK.
It is step one of a four-part process. The draft decision is now under review by the European Data Protection Board, which will issue a non-binding opinion in the coming weeks. That must then be approved by a committee of representatives of EU Member States before being signed-off by individual members.
Commenting on the developments, TechUK CEO Julian David, said: "The European Commission's decisions that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards.
"Today’s decision is warmly welcomed by the tech sector which has been making clear the importance of a mutual data adequacy agreement since the day after the referendum. Receiving data adequacy, alongside the EU-UK Trade and Cooperation Agreement, will set a solid foundation for digital trade with the EU, including strong non-discrimination clauses and positive data flows provisions, that will give businesses the confidence to invest.
"As we go forward, the UK must also complete the development of its own international data transfer regime, allowing UK companies not just to exchange data with the EU, but also to be able to access global opportunities."
Regulatory process
Although the draft is progressing, companies will not be able to rely on it to transfer personal data from the EU to the UK until approved.
In an FAQ on the subject, Guadalupe Sampedro, cyber, data and privacy partner at the law firm Cooley, welcomed the progress and said that without such a decision, companies could face a significant data compliance burden that would force them to implement a transfer mechanism under GDPR, i.e. Standard Contractual Clauses, Binding Corporate Rules, etc.
"The draft decision is very welcome since it represents a first and very important step towards allowing that the free flow of data from the EU to the UK continues after the transition period," she wrote.
MEPs (members of the European parliament) have already begun to criticise the draft and it remains open to scrutiny during the review period.
Sampedro said: "The decision once adopted can be potentially challenged as happened with Safe Harbour and more recently with the Privacy Shield following the Shrems II case. In fact, members of the European Parliament have already shown their criticism with this draft. However, it is too soon to foresee if this is going to be the case. It will be interesting to see the opinion of the European Data Protection Board about the draft decision."
On the next steps, Sampedro said that following on from the publication of the draft, or proposal, from the European Commission, the European Data Protection Board must give its opinion, after which EU member states give their approval and the European Commission's decision will then be adopted.
There will be more on the impact of Brexit on tech and telecoms in the next issue of Capacity magazine
