Following the UK formally leaving the EU and entering into a transition period (until the end of December 2020) during which the UK and the EU will negotiate with a view to establishing a new formal relationship, the European Data Protection Supervisor (EDPS) has issued its official ‘Opinion on the opening of negotiations for a new partnership with the UK’, which can be found on the EDPS’s website here: https://edps.europa.eu/. This article looks at the aspects of the Opinion concerning the so-called ‘adequacy’ process.
What’s this all about?
The EDPS is an EU institution that deals with data protection issues concerning EU institutions and bodies. As part of its mandate it has issued a formal Opinion with respect to data protection concerning the EU-UK negotiations for a new partnership including the so-called ‘adequacy assessment’ that the EU will determine for the UK.
By way of brief reminder, adequacy status can be granted by the European Commission to countries outside the European Economic Area (EEA) where these countries provide a level of personal data protection comparable to that provided in EU terms – this assessment needs to be undertaken with regard to the UK because the UK has left the EU. Acquiring adequacy status will mean that information can pass freely between the UK and the EEA without further safeguards being required.
What are the main points and recommendations made?
The EDPS has set out a number of points and recommendations and notable comments that it has made concerning adequacy are that:
- The adoption of an adequacy decision is subject to specific conditions and requirements and, if the European Commission presents a draft adequacy decision, the EDPB will need to be involved;
- Given the specific situation of the UK, any substantial deviation from the EU data protection ‘acquis’ that would result in lowering the level of protection would constitute an important obstacle to the adequacy findings; and,
- The EDPS recommends that the EU takes steps to prepare for all eventualities, including where the adequacy decision(s) cannot be adopted within the transition period, where no adequacy decision would be adopted at all, or where it would be adopted only in relation to some areas.
What’s the takeaway?
The adequacy assessment is not going to be a straightforward exercise, most likely because of the UK’s surveillance rules and practices. The EDPS’ Opinion is a reminder that it is another EU player in the adequacy process who will be pitching in their tuppenceworth.
What should I be doing now?
During the transition period you should have a plan and also consider the following:
- Be proactive – do not leave this until the last-minute and instead review your current compliance measures on a prioritized basis;
- Look at data transfer arrangements – this should be a key priority (standard contractual clauses/model clauses, Binding Corporate Rules etc.). Approach the businesses, vendors etc. with whom your data transfers are taking place for discussions about future arrangements between you;
- Determine whether you will be requited to appoint a so-called official Representative and if this is the case start drafting the relevant documentation to be able to make this work in practice;
- In a more specific UK context, follow closely how the ICO’s role actually plays out in the so-called ‘co-operation and consistency mechanism’ and how it continues to act as a so-called ‘lead supervisory authority’, and determine who your lead supervisory authority might be after the end of the transition period; and,
- Follow the eventual changes made to UK data protection rules post the transition period and determine if and how they might affect your business.
We recently wrote about the ICO’s updated Brexit Data Protection Guidance which can be found here: https://www.corderycompliance.com/ico-updated-brexit-dp-guidance-and-resources/
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
- For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1785
Office: +44 (0)207 075 1784
Image used courtesy of the ICO