Securing An Adequacy Agreement Post Brexit

9th March 2020 brexit
After a long, arduous and intensely confusing three and a half years of Brexit negotiations, the UK will finally leave the European Union at the end of December 2020.

Although currently nestled in a transition period, the UK’s Brexit story still has a long way to go, and the challenges ahead are myriad.

As members of the general public, many people were unaware that data protection laws were even in question. After all, during the 2016 referendum campaign, the media mostly focused on the usual emotional fodder used to divert political sway.

However, in the talks between the UK and the EU post-referendum, data protection is the word on everyone’s lips. These critical negotiations are taking place because personal data plays such a vital part of the global economy. After the final split, it’s essential for all sides, that data continues to flow, uninterrupted.

At the moment, as we hang in our transition period, personal data is transferred unobstructedly between EEA member states – including all EU countries. However, following our final disengagement from the EU, the UK will no longer automatically benefit from this free flow of data.


Why is the free flow of data so important?

It’s not just businesses who rely heavily on the free flow of data; the medical sector, the academic sector for research and the police would all suffer should the data flow cease or encounter barriers.

For the police forces trying to keep border crime under control – the free flow of data between the UK and the EU is imperative. Over the years, EU member states have cultivated a range of tools allowing more robust collaboration, and more efficient policing. However, many of these tools require an uninhibited data flow.

Today, businesses too, rely on the ability to transfer personal data about their workforce or customers to offer goods and services. Trade is more and more expedited by cross-border data flows; even the most basic internal processes – cloud-based email or file storage – depend on it.

Now imagine the ‘digitally intensive’ sectors such as the UK’s tech sector, telecommunications and financial services. These sectors account for a large per cent of UK economic output and exports.

With volumes of data entering and leaving the UK increasing exponentially, any limitation set on data flows would act as a trade block, disadvantaging the UK businesses in a significant way.


Securing an adequacy decision

By securing an adequacy decision, data flows would continue smoothly post Brexit. An adequacy agreement simply means that the Commission deems that a countries data protection due diligence is ‘adequate, and in line with EU laws. The Commission has already recognised 11 other countries or territories – including Israel, New Zealand, Japan and Argentina.

However, The European Court of Justice, has several times chastised the UK, ruling twice that their handling of data had fallen out of line with EU laws – so there is no guarantee the UK will gain its much-needed adequacy decision – deal or not.

The Commission is aiming for a final decision on the UK’s status before December 2020 – the proposed finale of the ‘transition period’. The following information is taken directly from the European Commission site and defines the factors involved in the decision.

“The European Commission has the power to determine, on the basis of Article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves

  • a proposal from the European Commission
  • an opinion of the European Data Protection Board
  • an approval from representatives of EU countries
  • the adoption of the decision by the European Commission

At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.

The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.

Adequacy talks are ongoing with South Korea.

These adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the “Police Directive” (article 36 of Directive (EU) 2016/680).”


What happens in the event of a no-deal?

If all goes to plan, the assessment will take place during the transitional period, in which time the UK will continue abiding by all EU regulations and avoid any disturbance.

HOWEVER, if no-deal happens, the UK might spend years in a data limbo, with businesses suffering significant losses. Adequacy agreements historically have taken between 18 months and five years – so even in the event of a smooth transition – disruptions to business are likely.

Until adequacy, or special alternative arrangement is decided, EU-to-UK data transfers will only be allowed under legal mechanisms executed by individual British companies. But this could pose real problems; in the face of complex new laws, many smaller businesses might have problems understanding the technical challenges and legalities of data transfers in this alien landscape. Failing to comply, even as a result of a misunderstanding, could result in prosecution.


Getting Brexit ready!

With so little information available at present, many organisations are unsure if they are compliant or have not yet attempted to comply. Our advice is to get ahead of the curve if you handle personal data, start your preparations. Information is available through The ICO, who are working hard to keep businesses up to date in the face of much Brexit uncertainty themselves.   We will regularly keep this blog updated too.

Nicky Morgan – The UK’s Digital Secretary – stated that all businesses should ensure they are Brexit ready. “If you receive personal data from the EU, you may need to update your contracts with European suppliers or partners to continue receiving this data legally after Brexit,” 

“There are simple safeguards you can put in place by following the guidance available. UK and EU businesses should get on the front foot and act now to avoid any unnecessary” disruption.”

For more information- The ICO will continue to act as the head supervisory authority for UK organisations and businesses. A comprehensive list of tips and advice is available through their website, or of course, please feel free to contact the specialists here at The Griffin House Consultancy if you need some specific advice for your business.


Contact us:

Call:+44 (0)1673 88 55 33

Email:[email protected]

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.