The EU adequacy decision in favour of the UK allows the free flow of personal data between the UK and the European Economic Area (the EU member states plus Iceland, Liechtenstein and Norway). Both before and since expiry of the Brexit implementation period businesses have emphasised the crucial importance of maintaining that adequacy decision, pointing out that it is subject to review in 2025, or sooner if UK data protection law is considered to have diverged from EU GDPR in a way that poses a risk to the rights and freedoms of data subjects. Up to, and including, the second reading debate for the UK’s Data Protection and Digital Rights (No 2) Bill (the Bill) on 17 April the UK government seemed to agree that maintaining the adequacy decision must be a priority. However, will the appointment of John Whittingdale MP as the Minister responsible for steering the Bill through its House of Commons committee stage impact the government’s commitment to that goal?
Introducing the second reading debate, Minister for Data and Digital Infrastructure Julia Lopez MP, acknowledged the importance of EU adequacy, indicating that the UK government has been in constant touch with the EU and expects to maintain adequacy once the Bill is enacted. There was no Ministerial disagreement when Carol Monaghan MP relayed the Open Rights Group’s concerns that loss of adequacy would be extremely costly for UK business, exacerbating the already increasing need adapt compliance procedures to fit multiple legal regimes. Equally, though, there was no indication that Ministers agreed with Carol Monaghan’s conclusion that: the only way that we can properly maintain standards is by having a standard across the different trading partners, but the Bill risks creating a scenario where the data of EU citizens could be passed through the UK to countries with which the EU does not have an agreement. The changes are raising red flags in Europe. Many businesses have spoken out about the negative impacts of the Bill’s proposals. Many of them will continue to set their controls to EU standards and operate on EU terms to ensure that they can continue to trade there.
Julia Lopez MP is currently on maternity leave. On 21 April John Whittingdale MP was announced as her temporary replacement. Given that he had previously held Ministerial posts as the Department for Digital, Culture, Media and Sport (DCMS) the appointment had some logic. However, John Whittingdale’s contribution to the Bill’s second reading debate may fuel EU concerns about the strength of UK commitment to maintaining adequacy, since he will now be responsible for steering the Bill through its committee third reading stages. Whittingdale said:
A lengthy negotiation with the EU took place before a data adequacy agreement was reached. As part of that process, officials rightly looked at what alternative there would be, should we not be granted data adequacy. It became clear that there are ways around it. Standard contractual clauses and alternative transfer mechanisms would allow companies to continue to exchange data. It would be a little more complicated. They would need to write the clauses into contracts. For that reason, there was clearly a value in having a general data adequacy agreement, but one should not think that the loss of data adequacy would be a complete disaster because, as I say, there are ways around it.
The Bill committee has issued a call for written evidence. It provides an opportunity for businesses and other organisations to ensure that the committee, in its line-by-line scrutiny of the Bill, fully grasps the practical importance of the EU adequacy decision. Although it is possible to adopt “appropriate safeguards”, such as Standard Contractual Clauses (SCCs), for transfers of personal data to countries not considered by the EU to provide adequate protection to data subjects, using those Standard Contract Clauses is not a low-cost question of merely signing a pre-printed document. Valid completion of the SCCs requires the parties to set out specific details of the data transfers to which they relate. They also require completion of a Transfer Risk Assessment (TRA) to determine whether the SCCs can, on their own, serve as an “appropriate safeguard” or whether data subject rights can viably be protected only with additional technical or organisational measures, such as encryption. Conducting a TRA and implementing any measures that flow from it can be time consuming, incurring both direct expense and opportunity costs in terms of management time. Our sense, having worked with many clients seeking to navigate the complexities of data transfers to countries without the benefit of an adequacy agreement, is that John Whittingdale’s comments at the second reading of the Bill may not reflect the actual risks. It might be the case, as he suggests, that there would be “ways around” loss of data adequacy, but those workarounds would multiply the complexities and costs of compliance with absolutely no material benefits in return. Unless a business operates only within the UK, and has no customers other than UK residents, compliance with EU GDPR remains a practical necessity. Loss of the EU adequacy decision would affect any UK business operating in or trading with the EU and any EU business operating in or trading with the UK. The current EU adequacy decision permits a single, streamlined compliance regime and the free flow of personal data. Any divergence of UK GDPR from EU GDPR introduces friction and impairs streamlining of data compliance. Loss of adequacy would materially increase those challenges for both UK and EU businesses.
The Bill committee is due to begin its consideration of the Bill on 10 May, and to conclude by 13 June 2023. Written evidence can be submitted up to the end of the committee’s proceedings. However, if your organisation wishes to respond to the call for evidence then we recommend sending your submission as early as possible in the process – and ideally by 10 May.