Is the UK GDPR Adequacy Ruling Inadequate?

By Philip MatherNews, Opinion

Those of you who follow our pages and previous blogs will know that we have been warning UK businesses that the UK may not get a UK GDPR adequacy ruling from the EU for the processing of EU Personal data in the UK.

It seemed ALMOST inconceivable to us here at GDPR Auditing that after all the problems between the EU and the UK up to and including BREXIT and now over COVID jabs that the EU would come down on the side of the UK and hand over an adequacy ruling – see our other blogs for our other musings.

European Parliament draft GDPR Adequacy Ruling

So, it comes as a huge surprise that on the 21st February 2021 the European Commission published a draft decision finding the UK’s data protection regime to be “adequate” in GDPR terms. You canview here: 

https://ec.europa.eu/info/files/draft-decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en

Although this is only a draft paper it basically looks as though the decision has been made. Drafts only tend to get updated with small amendments and clarifications.

So, the UK gets an GDPR Adequacy Ruling – Isn’t that Good News?

UK businesses will heave a massive sigh of relief over the news that the UK will get an adequacy ruling. This enables the unfettered exchange of EU personal data with the UK. Don’t forget you  may still need a UK and or EU representative. 

It seems like a good move by the EU. Making things easier for the UK when many other areas of e BREXIT have become an administrative and logistical nightmare.

Many will say, we were abiding by the GDPR up to BREXT why should it suddenly change. Read our blog from the 19th September 2020 for a bit of background.

So yes, this is good news for businesses. Meaning time consuming, costly changes to data processing of EU personal data on the whole will not need to happen.

The Not so Good News

An adequacy ruling might be good news for beleaguered British businesses but we should ask:

  • how long will the adequacy ruling apply for
  • and at what cost to data protection standards in the UK, Europe and the rest of the world (RoW)

Based on the evidence, history, British law being at odds with the GDPR an adequacy ruling just makes no sense. So much has been written about the problems, we can’t go into them all here.

But to summarise

The Draft Decision really only looks at the law on paper (as described, at times misleadingly, by the UK itself) without due regard for  the application of the law in practice and without assessing law or practice against the EU legal standards.

The UK rules on data sharing, the immigration exemption and the research exemption just do not meet EU standards.

If the decision goes ahead  there is a serious risks that the UK will become a data protection-evasion haven for personal data from the EU/EEA to countries that do not  provide adequate protection by the EU; that the UK could allow for unreasonabledirect access to data (including data on EU data subjects) by US authorities under the UK-US Agreement; and that it will allow UK companies to pay lip service to  judgments and orders from non-EU Member States, also in respect of EU data, contrary to Article 48 GDPR.

The UK ICO continues to fail to properly enforce the law in the vast majority of cases. Even when it itself concludes that the law has been broken.

The elephant in the room: The Draft Decision completely fails to assess (or even note) the UK’s intelligence agencies’ actual surveillance practices.

Extract from “The inadequacy of the EU Commission’s Draft GDPR Adequacy Decision on the UK”. Posted on 3 March 2021 by Douwe Korff (duly credited here for an excellent report). The full report and summary is at the following link: 
https://www.ianbrown.tech/2021/03/03/the-inadequacy-of-the-eu-commissions-draft-gdpr-adequacy-decision-on-the-uk/

The problem is that these issues are already well know that any adequacy ruling given to the UK is likely to attract an almost immediate challenge in the courts.

Uncertainty and No Transition Period

If or when the decision is challenged, then UK businesses could be left in a state of uncertainty in what could be a long-drawn-out court case. (Shcrems III perhaps?). EU personal Data processing may be lawful one day and illegal the next. Just as it happened with the EU-US Privacy Shield.

Any future court decision against the ruling is likely to be immediately enforceable leaving UK businesses w to scramble  to find alternative transfer methods.

What Should UK Businesses do?

UK businesses can take a little light relief, assuming the draft adequacy ruling is going to be ratified. However, our advice would be don’t be too complacent. We fully expect any adequacy ruling to be challenged and if the same principles and arguments are used as per Schrems II and the EU – US Privacy Shield ruling – then the adequacy ruling could be deemed illegal – and any EU personal data transfers being made solely on the basis of the adequacy ruling would need to stop with immediate effect.

Prudent businesses should plan for this sequence of events as a worst case. They should have in hand alternative methods for legalising the processing of EU personal data.

Call it an insurance policy – but in our opinion this is insurance against an almost certain outcome …. But we’ve been wrong before.

Contact Us

If you would like to know more about how GDPR Auditing can help your organisation with PCI DSS or GDPR then please contact us at info@gdprauditing.com or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

GDPR Auditing Logo - UK GDPR Adequacy Ruling