By Louise Holton
Data adequacy refers to a status issued by the European Commission when a country outside of the European Economic Area (EEA) provides equivalent measures of personal data protection to those in European Law.
On 19 February 2021, the European Commission released a draft adequacy decision for data flows between the EU and UK, meaning the UK provides an adequate level of personal data protection to its EU subjects. Once this draft decision has been reviewed by the European Data Protection Board (EDPB) and individual EU Member States, the continuation of free-flowing data between the EU and UK will be enabled. A bridging mechanism was agreed until 30th June 2021, where data can continue to flow freely between the UK and EU, while the EU work through institutional requirements to agree on this adequacy agreement.
The UK already granted the EEA adequacy in 2020, enabling personal data to flow from the UK to the EU as usual. As well as this, third countries with existing data adequacy decisions granted by the EU, such as Japan, Canada and New Zealand, will also roll over and be considered as adequate by the UK.
What does this mean for my business?
Businesses are creating more data than ever before. We are increasingly reliant on data to better understand global consumers, improve processes and maximise efficiency. Transferring this data across borders is vital for all sectors of the economy, whether that be financial services, manufacturing or pharmaceuticals.
This adequacy decision will benefit businesses who regularly transfer data, including the personal data of customers from the EEA to the UK. Even though this draft decision already gives businesses further affirmation that data can continue to flow-freely, businesses still face many uncertainties and should implement the necessary mechanisms to ensure data flows go undisrupted.
How can my business protect its data flows?
Businesses should evaluate the risks associated with their current data flows and put alternative mechanisms in place, to reduce their reliance on adequacy. EU approved standard contractual clauses (SCC’s), intra-company transfers and binding corporate rules (BCR’s) are alternative mechanisms businesses should implement when trading between the EU and third-party countries. These mechanisms come with legal and administrative costs for businesses, but they will ensure legal and safe personal data transfers can continue, without relying on adequacy.
If your business offers goods and services, processes data or targets consumers in both the EU and UK, you will be subject to both EU and UK GDPR. For example, SCC’s are currently being reviewed as a mechanism to enable data flows to third countries without an adequacy agreement. As the UK adopted the existing SCC’s, businesses should keep up to date on these reviewed safeguards.
Closely monitor announcements from the TCA Partnership Council and the Information Commissioner’s Office (ICO), in case the UK also decide to adopt any reviewed safeguards from the EU.
Consider appointing a UK or EU representative to handle oversees customers, authorities and GDPR compliance. A representative is not a blanket requirement for all businesses. They primarily benefit those who process large amounts of data in the EU or UK, or process special categories of data and have no office space in the EU or UK.
Determine where your Lead Supervisory Authority (LSA) will be situated. Choosing an LSA can significantly reduce administrative burdens for businesses operating in multiple locations. This ultimately means you deal with one Supervisory Authority (in one country) by assigning a LSA in that country to handle GDPR compliance matters, rather than dealing with a Supervisory Authority in every country you operate in.
“DATA IS THE NEW OIL“
Data is a fundamental element of our daily lives in how we connect and conduct business operations, to provide services and coordinate complex supply chains. Data that is analysed in-depth, can stand at the core of any successful business and stimulate economic growth. The rise of social media, digital communications, the boom of e-commerce and digital enterprises are generating invaluable data to promote global innovation and value creation. Data must be widely available, easily accessible and manageable, to encourage the development of products and services. The internet is based on the principle of the free-flowing data. It eliminated barriers, made the world a smaller place and created this concept of a global village. The internet is free and fair, two components driving openness in our modern business practices and globalised society.
As the volume, power and economic value of data continues to grow, so have the risks and uncertainties surrounding e-privacy and cyber-security. When personal data is transferred outside of one’s home country, citizens feel this loss of control over how and where their data is being used. Similarly, governments seek to control information flows to their citizens, protect the rights of users and foreign surveillance and access data for law enforcement and national security purposes.
The Data Localisation Movement
The growing inward orientation of countries has resulted in more governments introducing new laws to reinstate digital barriers and reverse the inter-connectivity of our globalised society.
This poses significant challenges to cross-border data flows and the digital economy; however, the growth in the movement stems from a variety of motivating factors, from mitigating cyber-crime and generating geo-political advantages to economic competition advantages. Similarly, to goods and services, data as a national resource could move in- and out of nations and become taxable, generating new revenue streams for countries.
Data localising close to home
The data localisation movement is prominent within authoritarian countries such as Egypt, Iran and North Korea but is also expanding to countries such as Australia, Canada and even closer to home, within the European Union itself. The EU’s new data governance rules reflects their intention to create nine data spaces, where sensitive data on industry, energy and healthcare are stored in the EU to the benefit of local businesses.
This movement poses threats for the EU’s international trading partners, as local European businesses take advantage of internal data stored in government-operated servers, while foreign competitors face cost and regulatory burdens in accessing local data servers.
What does this mean for UK-EU trade?
In the Trade and Cooperation Agreement, the EU and UK agree to avoid restricting cross border data flows, with data localisation specifically listed as a restriction to data flows. Businesses involved in EU-UK trade can be reassured by the high-quality data protection regime and digital agenda that the UK intends to implement. Not only will this promote growth and innovation within the UK and the EU, but it will encourage the continued use of cross-border data flows to support the global economy as modern businesses become increasingly digitised and data-enabled.
Here at the British Chamber of Commerce, we will continue to update you with the necessary information to help all our members to succeed. We are all in this together, and with the right plans in place, consumer confidence can be restored. BritCham offers support, guidance and specialised coverage for both Brexit and COVID-19, including webinars, workshops and events that will give your firm the tools it needs to navigate through this challenging period.