Paul Motion: European Commission approves post-Brexit data protection regime – but UK is put on probation
The UK’s data protection regime has been given a pass by the EU, for now. Paul Motion explains the details.
The European Commission has adopted two data “adequacy decisions” for the UK. This action resolves a major concern after Brexit, that whilst personal data flowing from the UK to the EU member states was regarded as flowing to countries with sufficiently robust data protection, personal data flowing the other way, from the EU to the UK – now a “third country” – was not automatically treated as such.
A transitional arrangement was due to expire at the end of June 2021. After this, had there been no adequacy decisions, businesses were facing the prospect of substantial imminent upheaval such as rewriting their contracts, website contact forms, privacy policies, privacy notices, and terms of business.
Whilst very welcome, it should be noted that for the first time, the EU adequacy decisions include a sunset clause. This means the decisions automatically expire in four years’ time. During this period, the Commission will monitor the situation in the UK.
Vera Jourva, vice-president for values and transparency, said: “We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.”
In addition, Didier Reynders, commissioner for justice said: “The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”
These observations are significant for two reasons. First, in a recent decision of the Court of Appeal for England and Wales [The Open Rights Group & Anor, R (On the Application of) v Secretary of State for the Home Department & Anor  EWCA 800], the UK government’s interpretation of certain exemptions relating to data transfers for the purpose of UK immigration control were ruled incompatible with the GDPR.
Second, the government published the report of its Task Force on Innovation, Growth and Regulatory Reform (TIGRR) last week. The report contained, in this author’s opinion, several elementary misconceptions as to how the GDPR operates.
In several places, data protection law was conflated with direct market regulation. The European Commission will have been especially concerned about the proposal to remove any human oversight requirement from automated decision making (GDPR Article 22), and by the general thrust of the report, which appears to envisage an emphasis on commercialisation of data.
So, whilst the UK’s data protection homework has been marked up to date, it will be some time until we receive our end of term report card.
Paul Motion is a solicitor advocate at BTO Solicitors LLP