Articles

UK data-transfer adequacy: An explainer

Written by Osano Staff | February 26, 2021

The European Commission issued a draft decision on Feb. 19 declaring the U.K. to be an 'adequate' third-party to transfer data. The European Data Protection Board must still approve the decision.

While I've spent a lot of time reporting on data protection laws, I still find myself scratching my head and mouth breathing when I'm reading an explanation of European legal procedure.

The Trilogues? What? It sounds like a sci-fi book.

Thus, whenever I don't understand why or how something happened in the EU, I call on John Bowman, senior principal at Promontory Financial Group. The guy represented the U.K. when the EU negotiated the bloc's new privacy law. He was in the room! Besides that, he's got a ton of experience.

I asked him: What's important about the European Commission granting the U.K. "adequacy?"

If you missed it, the European Commission issued a draft decision on Feb. 19 declaring the U.K. an "adequate" third country. That means organizations can continue to transfer data out of EU member states to the U.K. without the necessity for expensive data transfer contracts. To now, the Commission had granted the U.K. a transitionary period since it exited the EU in 2020.

"This is an important decision which recognizes UK's data protection framework but is also politically expedient" Bowman said. "Both sides were looking at the digital economy and the continuation of services and the fact that the free flow of data is essential oil in the functioning of cross-border business."

Before Brexit, the U.K. enjoyed the free flow of data within the EU. But the fracture meant the European Commission had to examine the U.K.'s data protection laws to determine if they were on par with its own.

Luckily for the U.K., it had already successfully transposed its national law to conform with the EU General Data Protection Regulation when it passed the U.K. Data Protection Act in 2018, as it was required. So there wasn't a lot of friction between rulebooks.

The adequacy agreement moves to the European Data Protection Board and EU member states' MEPs to consider the deal, although their opinions are non-binding.

"It seems like a no-brainer that the U.K. should be found adequate," said Bowman from his home-now-office just outside London.

The big news here is: There's no big news. Organizations that feared a "no-deal" from the European Commission can breathe easy: The status quo on data transfers is likely to remain. There's no longer a need to immediately draw up plans for binding corporate rules or standard contractual clauses.

But not everyone is thrilled about the decision. Its critics cite the U.K.'s Investigatory Powers Act, which allows the U.K. intelligence agency, the GCHQ, to intercept communications in the name of national security. When the U.K. belonged to the EU, this wasn't crucial. That's because of a European treaty that says, essentially, "You do your thing, we'll do ours" on national security matters.

"The Treaty on European Union sets out that national security and defense are the sole responsibility of member states," Bowman said. "The reason is that member states, such as France, Germany, Spain and Italy don't necessarily want the EU taking an active role in national security and defense. There's a sense of national sovereignty around those kinds of areas. But now that the U.K. is a third country, in the same way the U.S. and the rest of the world is, we don't have the privilege of the national security exemption provided in the EU treaties, which means that this area can be assessed for data-adequacy purposes."

But in its application for adequacy, the U.K. government cited the U.K. Data Protection Act's provisions on snooping and surveillance. The rules come from Convention 108, of which the U.K. is still a member, which guarantees certain data rights to citizens. However, notes Bowman, the U.K.'s rules contain some exemptions for national security matters and where it's necessary and proportionate to apply them.

"The critics of this adequacy decision will say, well, there's no control over this because the government can control when this is overridden."

Bowman points to the European Court of Justice's invalidation of Safe Harbor and then its replacement, Privacy Shield, as what happens when the EU doesn't trust your intelligence processes.

The EU's risk would be data-sharing partners who've said they have adequate data protection rules, except when the spies come calling. How can the EU tell its citizens their data is protected when there are some instances in which it may not be?

While it's true the EDPB or Members of Parliament may raise questions about U.K. surveillance policies in deciding whether to approve the Commission's adequacy recommendation, Bowman doesn't see the deal being nixed.

"I can't see it happening as ultimately this is a decision for the member states," he said. "I don't think the member states want to perpetuate this situation any longer. Brexit's been a ball-and-chain on the EU and the UK for over four years. I think both want to move on and establish the terms of their new relationship."