Some post-Brexit positivity: EU grants the UK data protection adequacy decision.
With the June 30th deadline only days away, it was announced yesterday that the UK had been granted an ‘adequacy’ status by the European Union. Jorja Knight, Head of Legal at PromoVeritas, explains why the decision is a positive one for those running promotions.
This ends a long period of concern about the flow of data from the UK to the EU/EEA as the adequacy decision provides for a free flow of data. “The decisions mean that UK businesses and organisations can continue to receive personal data from the EU and EEA without having to put additional arrangements in place with European counterparts”.
The EU press statement says the UK’s data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
The sticking point has been the UK authorities use of personal data, and sensitive data, relating to criminal activities and offences. This hurdle was overcome by a second adequacy decision on the same day, called the Law Enforcement Directive. The wider GDPR principles are woven through this decision and if you feel like reading 52 pages, you will need to download it from the link in the EU press statement above.
This is a big step forward. We expected an adequacy decision to take longer. It means;
- We can be less pedantic, on this issue, when we review Data Processing Agreements and Privacy Polices, as data can flow between us and EU/EEA clients / consumers in relation to promotions.
- The UK GDPR principles and the Data Protection Act 2018 still safeguard privacy rights, but we can move away from the ‘standard contractual clauses’ for EU/EEA services which were the band-aid many were relying on.
However, as before, any international transfers of data to locations without an adequacy decision will mean, at a minimum, that there is extra diligence in information security checks and that reliance on standard contractual clauses will continue.