On the 28th June, the EU Commission adopted an adequacy decision for the UK. The adequacy decision means the free flow of data from the EU to UK. This means that data can now freely, without speculation about use of Standard Contract Clauses, etc., move from the EU to the UK on the basis that the UK has essentially equivalent data protection (i.e. UK GDPR and Data Protection Act 2018).
However, with speculation about divergence from GDPR being touted by the Prime Minister’s advisors’ report recently, and comments from UK government about wanting to boost the data economy – both of which sounded alarm bells for the EU, there is a four year sunset clause in the decisions which will mean they will need to be reviewed again, plus in the past the EU has made it clear they could pull them at any time if the UK diverged too much.
On this matter (which incidentally, I don’t think will mean the loss of GDPR as a concept, maybe by name) the EU Vice President for Values and Transparency said
“[We] have listened very carefully to the concerns expressed by the [EU] Parliament, the Member States and the European Data Protection Board, in particular on the possibility of future divergences from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene”
So what does this mean to UK businesses? Essentially, if you process data (as a Data Processor) on behalf of EU customers then your EU customers don’t need to find an appropriate safeguard for the data transfer to be lawful (e.g. you don’t need to worry about signing Standard Contractual Clauses (SCC)). But remember, “processing” has a wide definition so you will still need to consider whether you are a processor (e.g. even if you’re only hosting data) and still need to consider the implications of using non-UK and non-EEA sub-processors.
The GDPR adequacy decision can be found here: https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR