Analysis: The European Commission published a draft adequacy decision covering data transfers from the EU to the UK but with it not being confirmed, it raises a number of questions about what the future holds.
Data transfers between the UK and EU did not automatically cease on the date of Brexit. Rather, under the EU-UK Trade and Cooperation Agreement, a transition period exists until 30 June 2021.
During this period UK organisations can continue to process data from, and exchange data with, the EU. However, there was (and to some extent still is) a risk that the UK and EU would fail to come to an agreement about data transfers and that data would be unable to be transferred between the two jurisdictions.
On 18th February, the European Commission published a draft adequacy decision covering data transfers from the European Union to the United Kingdom.
An adequacy decision is one of the mechanisms set out under the GDPR that allow the data of EU citizens to be transferred outside the union to a third country (like the UK following Brexit) without other, additional, safeguards.
The draft decision has, however, not been confirmed. For the decision to be confirmed, the European Commission will have to be satisfied the existing UK data protection regime affords "adequate" protections for EU data subjects.
In practice this means that the UK's own data protection laws must measure up to the requirements outlined in Article 45 of the GDPR.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
From Brexit Republic, will Brexit ever be a done deal or are the EU and UK destined to be locked into years of detailed wrangling over the terms of the Trade and Co-operation Agreement? Join Europe Editor Tony Connelly, London Correspondent Seán Whelan and Deputy Foreign Editor Colm Ó Mongáin for what prove to be a perpetual podcast.
These requirements include what could be considered 'macro’ considerations such as whether the third country respects the rule of law, and respect for fundamental rights, independent regulatory oversight or international rights obligations.
However, it also requires more ‘micro’ considerations of existing national legislation governing data protection as well as any laws or judicial decisions which control access to data by public authorities or transfer of data to third parties or other countries.
The question of whether the European Commission would grant the UK an adequacy ruling has been an ongoing source of uncertainty for UK businesses. If no such decision were granted or, at this point, if the decision is not confirmed at the end of the grace period, then data cannot pass freely between the UK and the EU.
Instead, those receiving data from the EU would be required to independently assess the protection of that data and implement technical and legal measures to ensure that data transferred is protected by ‘appropriate safeguards’ (as required by Article 46 of the GDPR).
There were (and still are) reasons to question whether the adequacy decision will be confirmed – or, alternatively, whether it will endure. Much of this uncertainty results from the UK’s surveillance powers which have been repeatedly challenged before the European Court of Human Rights for breaching the privacy rights of individuals.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
From Radio 1's Today with Claire Byrne, Barry Lenihan went to Dublin Port where he had a behind the scenes look at new arrangements.
In that context, there is a risk the UK adequacy decision may be found to be invalid like the Safe Harbour and Privacy Shield agreements which were used to challenge data transfers to the United States and were struck down by the EU Court of Justice in the Schrems decisions because of the existence of similar, wide-ranging, surveillance of citizens.
Even if an adequacy decision is granted, data transfers to the UK will not, necessarily, continue, unquestioned. The European Commission has the power to review adequacy decisions on an ongoing basis under the GDPR and has specifically stated it will review the UK adequacy decision every four years.
This will be especially relevant if UK laws diverge from the standards established by the EU, or fails to keep pace with future developments within EU law which are deemed necessary to ensure protection of fundamental rights.
So, while the UK’s present laws protecting personal data are based on the EU’s GDPR, if the EU subsequently introduces a stronger legal protection for data that those included in the GDPR, the UK would necessarily be required to mirror that augmentation to continue to benefit from an adequacy decision.
All of this is, of course, of much greater concern in an Irish context given our proportionately greater reliance on, and co-operation with our UK counterparts – in particular on the island of Ireland.
The adequacy decision, if confirmed, will allow businesses, researchers, and public institutions on this island to continue to exchange data in the knowledge that sufficient safeguards are present.
Without the adequacy decision, that co-operation and exchange becomes far more difficult, and far less certain.
The views expressed here are those of the author and do not represent or reflect the views of RTÉ