Europe's Data Protection Guardians Green Light EU-UK Data Flows

The UK’s quest for unhindered data flows to and from the EU took another important step forward yesterday after the European Data Protection Board (EDPB) approved the Commission’s draft adequacy decisions.

Adequacy decisions are the process by which the European Union decides whether countries outside the bloc offer an adequate level of protection for the data of EU citizens. They are critical to granting seamless data flows between the EU and so-called “third countries”  like the UK post-Brexit.

After the European Commission issued two draft adequacy decisions in February 2021 approving the UK’s data protection regime, the EDPB has now recommended their acceptance. The board is an independent European body set up to ensure consistent application of the GDPR.

“The EDPB says that there are key areas of ‘strong alignment’ between the EU and the UK data protection frameworks including on: grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling,” explained compliance experts Cordery.

“But it is not an unqualified blessing. The EDPB highlights a number of areas requiring further assessment and monitoring including: the UK exception for immigration data; onward transfers; and the role and powers of the security services.”

The latter could be a particular sticking point, given the outsized powers for mass surveillance the UK’s Investigatory Powers Act grants to its intelligence services. It was a similar issue which led to the collapse of the Safe Harbor and Privacy Shield data sharing agreements between the EU and US.

In a similar manner, privacy groups may well challenge any official EU decision in the courts, as happened with the now famous Schrems cases.

That’s why Cordery is advising its clients to ensure they make alternative arrangements in case the adequacy decisions aren’t confirmed, or as insurance against any successful future challenge.

This includes things like updating privacy policies, mapping data flows in and out of the UK, putting agreements in place to protect data transfers, doing due diligence on suppliers, and even data localization in the long-term.

The UK’s temporary data deal with the EU will expire at the end of this month unless renewed. It desperately needs an adequacy decision given the size of its digital economy. The UK’s e-commerce market is the largest in the region, for example.

What’s Hot on Infosecurity Magazine?