There was good news today on the data transfer front, as the EU Commission published a draft adequacy decision for the UK.
The EU and UK had previously agreed a four month grace period until the end of April, with a possible extension until the end of June, for EU-UK transfers, with a view to finalising the adequacy decision during that period. Once adopted, the adequacy decision will allow organisations to transfer personal data from the EU to the UK on an ongoing basis without the need to put in place additional measures such as standard contractual clauses. Given the current difficulties involved in implementing standard contractual clauses following the Schrems II judgment, today's news will come as a welcome relief for businesses.
The draft decision found that the UK does ensure an "essentially equivalent" level of protection to that provided by EU law. On the face of it this is unsurprising given the UK's full implementation of the GDPR, and the intertwinement of UK and EU privacy law over the last 30 years. However, there had previously been some concerns that the EU would be taking a close (and critical) look at the UK's legal framework for law enforcement and intelligence gathering, and that this might put the UK's adequacy status in jeopardy. Today's news suggests that things are now looking more positive on that front.
There are still a few steps that need to be taken to finalise the adequacy decision, including having it reviewed by the European Data Protection Board and getting a green light from a committee composed of Member State representatives. But it does now seem quite likely that the UK will be the latest entry onto the EU's list of "whitelisted" countries before too long.
The government welcomes the European Commission’s draft data adequacy decisions, which recognise the UK’s high data protection standards and set out that the UK should be found ‘adequate’