UK data laws are adequate. For now

The EU Commission has issued draft decisions that UK data laws are adequate for data transfers to continue. Perhaps the only surprise was that it took the Commission so long to issue these draft decisions. After all, the UK has had data protection laws longer than the EU. The latest iteration, GDPR, became enforceable in 2018 in the UK just as it did in the other EU member states. And the EU Withdrawal Act preserved its effect in the UK. All part of the political fun and games in the Brexit negotiations.

This is a welcome step, embraced by UK government but it is not over yet. The decisions will now come for scrutiny by the European Data Protection Board, representatives from the member states and the EU Parliament. Max Schrems is also waiting in the wings. Remember, he’s the person who challenged both Safe Harbour and Privacy Shield. The European Court of Justice annulled these decisions on the basis they did not provide adequate protection for EU data transfers to the USA because of their snooping laws. Well, guess what? The UK has broad snooping laws too. Schrems has indicated he will review the decisions in more detail. It seems a challenge before the ECJ is not far away. Even if it survives all this, the EU Commission has said it will review the decisions in 4 years time – recognising the potential for the UK to take divergent views on data protection.

Where does that leave businesses?

These decisions mean there shouldn’t be a hard stop at the end of June – the last date under the Brexit deal. So, data transfers to and from the UK & EU can continue for now.

Given the likelihood these decisions will be challenged and the possibility they will be annulled, businesses should consider using the model clauses for their data transfers.

The difficulty is that the model clauses are about to change. The EU Commission has published four new sets of Standard Commercial Clauses. And the UK has indicated it will publish its own too.

So much for certainty and harmonisation!

If you need advice, contact me f.jennings@teacherstern.com or +44 (0) 20 7611 2338.

3 comments

It’s not just the data, it’s how you use it – The Cloud Lawyer says:

13 April 2021 at 11:02

[…] the UK has promised to mirror EU law – so-called “UK GDPR”. Following this the EU Commission has declared the UK’s law as “adequate” too. The Commission will review this in time in case this changes. For example, the UK Supreme Court is […]

LikeLike

Data flows on – The Cloud Lawyer says:

7 July 2021 at 09:46

[…] EU Commission has finally confirmed that data transfers may continue between the EU and UK. I previewed this in February but it issued the actual decision (PDF) only just before the deadline. This is the mechanism by […]

LikeLike

Data reform not adequate? – The Cloud Lawyer says:

19 May 2022 at 12:57

[…] will achieve the opposite. They’ll dilute standards in the name of reform, thus putting the UK’s adequacy status at risk. That would mean data transfers to and from the EU would have to be under standard […]

LikeLike

What's your view? Leave a comment Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

UK data laws are adequate. For now

Where does that leave businesses?

Like this:

Related

3 comments

What's your view? Leave a comment Cancel reply