In our Board Briefing in December, looking at what the end of the Brexit transition period would mean for UK agencies in 2021, we pointed out that data protection was an area that was not concluded in the EU–UK Brexit deal, and that a decision was still pending.

With this matter remaining unresolved, we pointed out that UK agencies may need to make adjustments to digital service and other contracts to include ‘standard contract clauses’ or ‘binding corporate rules’ to ensure compliance with EU data protection laws.

Board Briefing: What the end of the Brexit transition period means for agencies
This Board Briefing paper covers everything agency boards need to know on what the end of the Brexit transition period means, from access to Europe, legal and regulatory issues, contracts, data protection and GDRP, people matters for staff, customers and suppliers, plus mitigation options
Agency RadarDr Joe Baker

We wrote about this in detail in a blog last month:

Blog: The Brexit Deal and Data
What does the UK–EU trade agreement have to say about data, and what does that mean for UK digital agencies?
Agency RadarDr Joe Baker

However, according to an article in today's Financial Times, the EU looks set to give a data adequacy ruling to the UK. The FT has seen a draft of the decision, and say that the ruling is expected to be approved later this week.

Subscribe now for access to the entire library of members-only content & updates:

Monthly

£ 450 / month
  • 14-day free trial
Subscribe now Sign up

An EU data adequacy decision would recognise that UK law on data protection for personal information is of an adequate standard that EU citizens can expect the same level of privacy and protection for any of their personal data held in the UK as they would if that data were held in the EU.

Brussels to allow data to continue to flow to UK
Ruling means police can continue to co-operate and businesses transfer information
Financial TimesJavier Espinoza and Michael Peel

The positive decision from the EU on data adequacy had been widely expected, despite the challenges presented by the UK's Investigatory Powers Act (2016), the so-called ‘snoopers charter’.

EU Commissioner Věra Jourová said that the UK had a head start when striking a data adequacy deal compared with other third countries. UK law was already compliant with the EU's GDPR prior to leaving the EU and the end of the Brexit transition period.

It should be noted that the data adequacy decision is granted on a consideration of the whole of UK law, taken in the round, and not just on UK data protection law. That is why other acts, such as the ‘snoopers charter,’ posed potential threats to the EU finding the UK's favour.

Although the EU has reached its decision to grant data adequacy to the UK, the ruling will still face scrutiny by the European Data Protection Board before implementation. However, the EDPB does not have the power to block either the decision or the implementation.

A six-month period was given after the EU–UK trade deal was made for the data adequacy decision and implementation. This finding needs to be adopted fully before the 30 June deadline to ensure data continues to flow from the EU to the UK.

Note: Data adequacy is not a permanent status

It should be remembered, as we have said previously, that the data adequacy ruling is not a permanent status. It will be periodicall reviewed by the European Commission, and would remain open to legal challenge in the European Court of Justice (ECJ).

This is no mere hypothetical. Last year, in July 2020, the EU–US ‘Privacy Shield’ data transfer deal was struck down by the ECJ in the case brought by the Austrian privacy advocate Max Schrems.

Jourová reasserted that the EU would seek to ensure the UK data adequacy finding  would be ‘future-proof.’ The EU is concerned that the path of UK law does not diverge substantially from EU law, such that future changes to UK law do not compromise the privacy of EU citizens when their personal data passes into the UK.

Subscribe now for access to the entire library of members-only content & updates:

Monthly

£ 450 / month
  • 14-day free trial
Subscribe now Sign up

The arrangement will be reviewed every four years, and will continue to be open to challenge in the ECJ, as with the Schrems ruling in the case against ‘Privacy Shield.’

What this means for agencies

The EU's data adequacy finding for the UK means that:

  • The data adequacy ruling must be fully implemented in the EU by 30 June.
  • Providing the EDPB review does not indicate problems, this should be achieved.
  • If so, ‘standard contract clauses’ or ‘binding corporate rules’ should not be necessary.
  • That will remain dependent on UK law still remaining in compliance with EU data protection provisions. If UK law diverges in the future, then the data adequacy finding may be recinded.
  • Agencies handling personal information for EU citizens should remain alert to any changes to UK law that may affect the privacy and protection of personal data. It may still be necessary, at some point in the future, to include ‘standard contract clauses’ or ‘binding corporate rules’ into contracts to ensure your business is unaffected.

This blog is a follow-up to the longer Board Brief paper on what the end of the Brexit transition period means for agencies in the UK. Subscribe to Agency Radar for access to the full paper.

Board Briefing: What the end of the Brexit transition period means for agencies
This Board Briefing paper covers everything agency boards need to know on what the end of the Brexit transition period means, from access to Europe, legal and regulatory issues, contracts, data protection and GDRP, people matters for staff, customers and suppliers, plus mitigation options
Agency RadarDr Joe Baker

Main photo by Christian Lue on Unsplash