Continuing the free flow of personal data between the EU and the UK post-Brexit: DCMS Explanatory Framework for adequacy discussions
How might the Explanatory Framework recently published by the Department for Digital, Culture, Media & Sport (DCMS) assist with enabling the continued free flow of data between the EU and the UK post-Brexit and how might the UK Government’s approach to the COVID-19 pandemic affect this?Key takeaway
The Explanatory Framework published by the DCMS in March 2020 outlines the UK’s intention to seek an adequacy decision from the European Commission (the Commission) to enable the continued free flow of personal data between the EU and the UK following the Brexit deadline. The unexpected introduction of a global pandemic to this scenario may have some unexpected consequences, not only impacting the ability of many businesses to comply with data protection measures at this time, but also swallowing the focus of policy makers whole. Given the significant value of personal data-enabled services to the UK economy and their reliance on the free flow of data, this process is clearly one to follow.
Adequacy decisions are one of the tools provided under the GDPR to permit for the transfer of personal data from within the EU to countries outside of the EU (Third Countries). Under Article 45 of the GDPR, where a Third Country can evidence an equivalent level of data protection to that of an EU state through its domestic law or its international commitments, the European Commission may make a positive adequacy decision. Such a decision allows for personal data to flow unimpeded between the EU and the Third County without additional safeguards and as if it were an intra-EU data transmission.
Note that there is no requirement for the Third Country’s data protection system to be identical to those found in the EU. The standard is instead one of “essential equivalence”, and a Third Country’s data protection system is assessed by an investigation of its protection guarantees and of the relevant oversight and redress mechanisms available.
In advance of the fast approaching January 2021 deadline, the UK requires adequacy decisions from the Commission to enable to continual flow of personal data post-Brexit. The Commission has described such a decision as being a necessary affirmation of the UK’s commitment to the protection of personal data and respect for the Union’s personal data protection rules.
On 3 March, the DCMS published an Explanatory Framework for adequacy discussions, designed to assist the Commission’s assessment by providing an overview of the legal framework that underpins the UK’s data protection standards. The Explanatory Framework highlights:
- how existing UK legislation, including the UK GDPR and the Data Protection Act (DPA) 2018, offers robust personal protection, equivalent to that provided under EU law
- the UK’s historic commitment to the enforcement of the principles underpinning lawful data processing through the means of judicial redress
- the “strong track record” of the UK Information Commissioner’s Office (ICO) for working closely and effectively with other DPAs as “one of the three most active data protection authorities in recent years … [and] is influential in driving global privacy standards.”
Why is this important?
For those unfamiliar with the industry, personal data-enabled services may seem obscure. However, the flow of these services between the EU and the UK is pervasive across all industries and was collectively worth in excess of £100bn in 2018. Failure to achieve adequacy could be expected to result in significant disruptions to trade across the UK. While contractual protections could serve to mitigate this risk, if the UK’s status as a global leader in the field of data protection is to be maintained, the importance of obtaining a positive adequacy decision from the Commission cannot be stressed enough. In our current climate it is in no way guaranteed.
Those involved directly and indirectly in personal-data enabled services should keep a careful eye on internal legislative developments that might signal deviation from the EU’s data protection policies. As stated above, the risk to trade can be mitigated through introducing contractual protections in advance of any potential difficulties arising. This makes it all the more important to ensure that you keep Brexit in mind when drafting any Data Protection Agreements which incorporate the EU’s Standard Contractual Clauses.