The short version:
The UK left the EU on 31st December 2020 with no ‘Adequacy’ formally confirmed by the EU, which meant the UK was not formally recognised by the EU as a country with suitably safe data privacy laws for EU subjects' data to be transferred to it.
However, a Trade and Cooperation Agreement signed on the 24th December 2020 between the UK and the EU extended the status quo of EU-to-UK data sharing for four months, extended to six months if Adequacy is still not secured within the first four.
Were it not for the Trade and Cooperation Agreement, transfers of EU personal data to the UK would have been instantly prohibited on 31st December 2020.
If Adequacy is not confirmed by 30th June 2021, or there is no further extension, then data transfers will once again be at risk of being instantly prohibited.
Right now, there is no sign that Adequacy is at all close to being awarded.
This will mean any business with operations in the UK that processes EU personal data will need to adapt their own data strategies to provide the necessary protections that the EU requires, and that the UK's national legislation does not
- and fast!
In our previous blog, we described Adequacy as:
…a formal recognition by the EU that the country’s data privacy regime is suitable for EU personal data to be transferred to it, and offers at least similar protections to the regime that the EU member states are bound by.
The UK gave itself 11 months to secure Adequacy from the EU – it could only be applied for once the UK formally left the EU at the end of January 2020, and the end of the Transition Period was pre-determined as the end of December 2020. The fastest Adequacy decision to date is the 18 months it took Argentina to be confirmed.
But what does Adequacy actually mean in practice?
As the UK Supervisory Authority, the Information Commissioner's Office (ICO), states,
The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguard being necessary.
Which means with no Adequacy, businesses need to put in place their own specific measures before GDPR-applicable data (in simplified terms, data regarding EU citizens) can be transferred to the UK.
As of January 2021, no UK Adequacy has been confirmed.
Theoretically, the UK is in a strong position. The UK’s Data Protection Act 2018 was clearly written as an implementing act of the GDPR.
Indeed, the UK government’s arguments for Adequacy that is submitted to the EU in March 2020 included statements such as:
However, concerns surrounding the UK’s Investigative Powers Act 2016, some misalignments between the Data Protection Act and the EU’s Charter of Fundamental Rights and the UK’s close security relationship with Australia – itself refused Adequacy by the EU – plus many other concerns all mean that Adequacy will not be a formality - if possible.
And may explain why even an ex-EU member state with GDPR enactment data privacy law in place still cannot secure Adequacy quickly.
Which puts businesses in a precarious position…
While the political arguments continue, data leaders need to prepare.
The data privacy steps that every data leader must take to maintain the ability to share and receive GDPR-applicable data into the UK in advance of 30th June 2021 are split into two types:
Actions that are urgently necessary regardless of the Adequacy decision – a set of activities that all businesses will need to revisit to ensure they are GDPR-aligned within a third country
Additional actions that are essential for all businesses if no Adequacy is granted before 30th June 2021
The flowchart below sets out some high level guidance for either scenario.
Calligo’s expert and highly-qualified data privacy consultants have helped organisations across financial services, government, technology, healthcare and consumer services, and plenty more with their GDPR requirements.
Request a callback from the award-winning team, who can advise you on how Brexit will impact your data strategy - and what to do about it: