Those of you who use cloud providers or other data processors in the EU can now relax as the EU has confirmed that they accept the UK GDPR as adequate to protect the data rights of EU subjects. This has happened just in time as the grace period agreed under the new EU UK treaty was due to end on 30 June 2021!
Can I transfer data freely between the UK and the EU?
Yes! The adequacy decision means that you don’t need to take any additional administrative actions to protect data transferred from the EU to the UK. The UK has already issued an adequacy decision in the other direction so transferring data to the EU is also acceptable.
Does this mean I don’t ever have to worry about EU transfers again?
No, the adequacy decision will be kept under constant review and may be restricted or removed if changes are made to the UK data protection regime. Any restriction or removal should be reported and of course we will try and keep you up to date on any changes. However, as the decision of the European Court of Justice in the Schrems II case has demonstrated, the decision of the political bodies in the EU may be overturned by the court at any time following a complaint. This means that it is important to consider developments in the law if your business relies on data transfer to and from the EU.
Does this mean I can ignore the GDPR?
No! The UK GDPR essentially mirrors the EU GDPR and the Information Commissioners Office (ICO) have been clear that they see the two as essentially equivalent and intend to continue working in harmony with the EU regulators. This means that guidance on the EU GDPR is likely to be considered and in large part adopted by the ICO unless a particular provision of the UK GDPR would prevent this. This should help to ensure that the UK adequacy decision remains in place.
This article is for information purposes only and does not amount to professional advice. If the issues raised effect you then professional legal advice should be sought. Please contact Rosemarie Close for assistance.