Why the UK may not get a GDPR adequacy ruling and what that really means.
Picture the scene
You are a UK based business but you have some customers/clients from the EU, EEA and or EFTA (Europe).
At the moment under the banner of the GDPR you can legally process EU personal data provided you are following the GDPR.
BREXIT and GDPR
On the 1st January the UK is no longer covered under the GDPR umbrella, we become what is known as a 3rd country.
3rd Countries can only lawfully process EU personal data if they have an adequacy ruling (i.e. the EU thinks our data protection regime is equivalent to the GDPR) or other mechanisms are used such as Standard Contractual Clauses, Binding Corporate Rules or derogations.
The UK was hoping to get an adequacy ruling during the transition period and whilst this may still happen it is becoming less and less likely as 2020 draws to a close.
Some of the reasons for this might be:
- The trade deal seems to be the number one priority
- Covid-19 has created inevitable delays in the negotiations
- Technically adequacy rulings can only be made once the UK becomes a 3rd Country
- The Schrems II ruling by the CJEU places question marks over countries whose security services operate in a similar fashion to the US
- The EU cannot be seen to have favourites and the UK is unlikely to be one
In our opinion, the UK is highly unlikely to get an adequacy decision.
What does no adequacy decision really mean?
What this means is that as a UK business you are sooner or later going to have to make some changes in the way you process EU personal data to remain legal.
Without an adequacy ruling the UK as a whole will not get a country wide ‘pass’ to be able to process EU personal data.
This leaves Standard Contractual Clauses to be set up between individual businesses, or Binding Corporate Rules or specific derogations.
Where your agreements are between you and an individual you need to ensure that those are also lawful in terms of GDPR.
BCR’s, SCC’s and Derogations are Still Legal
If you keep up with GDPR news you might be thinking that BCRs, SCCs and derogations are still legal so what is the problems for the UK?
In the case of EU transfers to the US, the European Data Protection Board made it very clear that SCCs and BCR’s should be assessed and where found to be insufficient would need supplementary controls. Any supplementary controls would require some mechanism to prevent the US security services from snooping on the data – a tall order.
Why does this affect the UK?
The EU has drawn a line in the sand. Briefly, any country who cannot provide an adequate level of data protection as the GDPR expects cannot legally process EU data.
The UK’s national security and mass surveillance practices place it very close the US is terms of protecting the rights of EU citizens and for this reason BCR’s and SCC’s are likely to be challenged.
Individuals may still opt to send their personal details to the UK but EU businesses may not.
And how long before the UK is subject to a legal challenge similar to Schrems II?
The brutal truth
If you were an EU business and had the choice of using a UK business with illegal, indeterminate, or potentially going to become illegal EU to UK data transfers OR an EU business fully compliant with the GDPR, what would you choose?
Worst Case Scenario
What nobody is prepared to say out loud is that for some organisations outside of the EU, and that will include the UK, that processing EU data may not be possible.
“Some UK companies may not be able to find a legal mechanism to process EU personal data”
If this is something you or your business is worried about then you should start looking at the implications now.
The information provided in this post is for general information only and is not intended to provide legal advice.