Can We Exhale Yet? EU Set To Rule UK 'adequate' For Data Sharing In Post-Brexit GDPR Move

The EU is set to rule that the UK's laws are sufficient to ensure "adequacy" for the safe sharing of personal data, a move promising to end uncertainty over data protection rules post-Brexit.

Officially the UK left the umbrella of the EU's General Data Protection Regulation (GDPR) at the end of the Brexit transition period on 31 December 2020. The UK had been afforded a six-month grace period (until 1 July 2021), which meant that, in practical terms, the rules still applied to the UK and organisations complying with the rules could continue to share data between the UK and EU nations, although businesses were advised to put additional safeguards in place.

The UK's Data Protection Act 2018, which as some readers might remember was the vehicle by which the GDPR was implemented when the UK was a member state, was amended on 1 January 2021 to be read in conjunction with the new "UK-GDPR" instead of the EU GDPR. The UK GDPR has not (yet) significantly diverged from the EU GDPR. For those interested, the Keeling Schedules are here.

According to the Financial Times, the European Commission is set to allow data to continue to flow freely from the EU to the UK after concluding that the British had ensured an adequate level of protection for personal information.

An EU decision in the affirmative would mean it had determined that the UK data rules set out in the December's National Data Strategy – effectively a statement of intent – were sufficiently aligned with GDPR to allow the uninterrupted transfer of personal data from the EU to the UK.

The European Data Protection Board is set to scrutinise the decision before it is implemented, but the body responsible for overseeing and advising on legislation does not have the power to block the commission's decision. Such a decision of "adequacy" in the relationship with EU data law is said to be important to the UK working as a successful digital economy.

In the lead-up to the UK's practical departure from the EU trading arrangements, there had been concerns that the UK's move to allow ministers to change data protection rules without going through Parliament might prompt the EU to place restrictions on data transfer to the UK.

For now, those fears seem unfounded. But the ultimate test would come if someone is prepared to bring a case, as Austrian privacy activist Max Schrems did with the Privacy Shield data-sharing arrangement between the EU and US. The European Court of Justice struck down that arrangement in July last year. ®