Adequacy at last: what now for international data transfers?

On 28 June, the European Commission adopted a so-called ‘adequacy decision’ in respect of the UK’s data laws.

There were huge sighs of relief from businesses across the UK and the EU as the decisions finally brought to an end a long period of uncertainty around international data transfers. But although it’s undoubtedly very good news, there are already signs of more trouble ahead.

This saga began as long ago as June 2016, when the UK voted to leave the European Union. The EU’s data protection laws allow for unrestricted movement of data within the EU and the wider European Economic Area, but contain restrictions on transfers outside the bloc. As a member state, the UK enjoyed the benefits of free flows of data. Maintaining this privileged position was one of the UK government’s aims in the lengthy Brexit negotiations that followed.

This might all sound very technical and something only relevant to multinationals, but international data transfers are actually quite common for businesses of all sizes. A small manufacturing company that outsources its payroll to a company in Germany, for instance, or a retailer that uses an IT system hosted by an Irish company would both be involved in international data transfers.

The restrictions mean that sending personal data to countries outside the EU is considerably more difficult than sending data between EU countries. Transfers can only take place using an approved method, as set out in Chapter V of the General Data Protection Regulation. By far the easiest of these methods is where the European Commission has made an assessment of the country’s data protection laws, and has determined that they provide an adequate level of protection for personal data. This is known as an ‘adequacy decision’. Transfers to countries with an adequacy decision can take place without any further steps being taken.

On the UK’s formal departure from the EU in January 2020, a transition period maintained the status quo until the end of December 2020. And then, just as that deadline loomed, bridging arrangements were hastily put in place to continue the free flow of data while the EU considered adopting an adequacy decision in respect of the UK. Given that UK data protection law derives from EU law, you may have thought that such a decision was a mere formality. But that certainly wasn’t the case. The Commission looked in detail at all aspects of the UK’s laws, including interception powers of the security services, before reaching its decision.

When it was finally adopted, just two days before the bridging arrangements came to an end, the decision ran to 93 pages. It contains a detailed review of UK data laws and comes with an inbuilt sunset clause, meaning the decision lapses after four years unless the Commission decides to renew it. There is also a warning that the decision will be kept under review should the UK choose to alter its own data protection laws. This is where the next stage of uncertainty is likely to come from.

Just last month, the UK government’s own Taskforce on Innovation, Growth & Regulatory Reform issued its final report, which recommended replacing the UK’s current data protection laws with a new framework. There is very little detail in the report on what this new framework may look like, but if the recommendation is adopted then any significant changes to data protection law are likely to threaten the UK’s newly obtained adequacy decision.

The uncertainty around international data transfers is unlikely to go away as the consequences of the Brexit vote continue to play out.  Uncertainty perhaps remains the only certainty.

Published in Business Matters – 2.7.21