Assessing and Governing AI: Our Answers to Your Questions
With our webinars, there are always plenty of good questions and not...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Update: April 11, 2023
Published: February 26, 2021
The European Commission issued a draft decision on Feb. 19 declaring the U.K. to be an 'adequate' third-party to transfer data. The European Data Protection Board must still approve the decision.
While I've spent a lot of time reporting on data protection laws, I still find myself scratching my head and mouth breathing when I'm reading an explanation of European legal procedure.The Trilogues? What? It sounds like a sci-fi book.
Thus, whenever I don't understand why or how something happened in the EU, I call on John Bowman, senior principal at Promontory Financial Group. The guy represented the U.K. when the EU negotiated the bloc's new privacy law. He was in the room! Besides that, he's got a ton of experience.
I asked him: What's important about the European Commission granting the U.K. "adequacy?"
If you missed it, the European Commission issued a draft decision on Feb. 19 declaring the U.K. an "adequate" third country. That means organizations can continue to transfer data out of EU member states to the U.K. without the necessity for expensive data transfer contracts. To now, the Commission had granted the U.K. a transitionary period since it exited the EU in 2020.
"This is an important decision which recognizes UK's data protection framework but is also politically expedient" Bowman said. "Both sides were looking at the digital economy and the continuation of services and the fact that the free flow of data is essential oil in the functioning of cross-border business."
Before Brexit, the U.K. enjoyed the free flow of data within the EU. But the fracture meant the European Commission had to examine the U.K.'s data protection laws to determine if they were on par with its own.
Luckily for the U.K., it had already successfully transposed its national law to conform with the EU General Data Protection Regulation when it passed the U.K. Data Protection Act in 2018, as it was required. So there wasn't a lot of friction between rulebooks.
The adequacy agreement moves to the European Data Protection Board and EU member states' MEPs to consider the deal, although their opinions are non-binding.
"It seems like a no-brainer that the U.K. should be found adequate," said Bowman from his home-now-office just outside London.
The big news here is: There's no big news. Organizations that feared a "no-deal" from the European Commission can breathe easy: The status quo on data transfers is likely to remain. There's no longer a need to immediately draw up plans for binding corporate rules or standard contractual clauses.
But not everyone is thrilled about the decision. Its critics cite the U.K.'s Investigatory Powers Act, which allows the U.K. intelligence agency, the GCHQ, to intercept communications in the name of national security. When the U.K. belonged to the EU, this wasn't crucial. That's because of a European treaty that says, essentially, "You do your thing, we'll do ours" on national security matters.
"The Treaty on European Union sets out that national security and defense are the sole responsibility of member states," Bowman said. "The reason is that member states, such as France, Germany, Spain and Italy don't necessarily want the EU taking an active role in national security and defense. There's a sense of national sovereignty around those kinds of areas. But now that the U.K. is a third country, in the same way the U.S. and the rest of the world is, we don't have the privilege of the national security exemption provided in the EU treaties, which means that this area can be assessed for data-adequacy purposes."
But in its application for adequacy, the U.K. government cited the U.K. Data Protection Act's provisions on snooping and surveillance. The rules come from Convention 108, of which the U.K. is still a member, which guarantees certain data rights to citizens. However, notes Bowman, the U.K.'s rules contain some exemptions for national security matters and where it's necessary and proportionate to apply them.
"The critics of this adequacy decision will say, well, there's no control over this because the government can control when this is overridden."
Bowman points to the European Court of Justice's invalidation of Safe Harbor and then its replacement, Privacy Shield, as what happens when the EU doesn't trust your intelligence processes.
The EU's risk would be data-sharing partners who've said they have adequate data protection rules, except when the spies come calling. How can the EU tell its citizens their data is protected when there are some instances in which it may not be?
While it's true the EDPB or Members of Parliament may raise questions about U.K. surveillance policies in deciding whether to approve the Commission's adequacy recommendation, Bowman doesn't see the deal being nixed.
"I can't see it happening as ultimately this is a decision for the member states," he said. "I don't think the member states want to perpetuate this situation any longer. Brexit's been a ball-and-chain on the EU and the UK for over four years. I think both want to move on and establish the terms of their new relationship."
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.