British data protection standards are “adequate”, the EU has ruled in a long-awaited decision that lets digital information continue to flow between the UK and the bloc. But Brussels warned Boris Johnson’s government against weakening UK standards.
Failure to get a positive decision would have risked plunging British businesses into disarray, leaving industries from banking to logistics scrambling to set up more costly, bureaucratic alternatives to share data.
The UK’s “adequate” status is guaranteed for four years, but the commission warned it could be withdrawn if UK law was no longer deemed to offer EU citizens protection over how their data was used.
The European Commission vice-president Věra Jourová said: “The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today.”
She added that the commission had listened “very carefully” to concerns expressed by the European parliament, EU members and the European Data Protection Board, “in particular on the possibility of future divergence from our standards in the UK’s privacy framework.
“We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene,” Jourová said.
John Foster, the director of policy at the Confederation of British Industry, said the breakthrough in the EU-UK adequacy decision would be welcomed by businesses across the country. “The free flow of data is the bedrock of modern economy and essential for firms across all sectors – from automotive to logistics – playing an important role in everyday trade of goods and services.”
During the Brexit transition period, the government largely copied key EU legislation into the UK statute book, notably the landmark General Data Protection Regulation (GDPR) and the Law Enforcement Directive, which governs data sharing in police and law enforcement.
Brexiters on the Tory backbenches are pressing Boris Johnson to ditch the “prescriptive and inflexible” GDPR. A taskforce set up by Downing Street to “seize new opportunities from Brexit” said GDPR should be replaced with UK laws on data protection. The EU’s GDPR “overwhelms people with consent requests and complexity they cannot understand while unnecessarily restricting the use of data for worthwhile purposes”, states the taskforce report drawn up by Iain Duncan Smith, Theresa Villiers and George Freeman.
The group said consumers need stronger rights, while data should be “free[d] up” to allow the UK to capitalise on artificial intelligence and data-driven healthcare. The prime minister promised to give their report “the detailed consideration it deserves”, as he claimed there was a “thicket of burdensome and restrictive regulation that has grown up around our industries over the past half century”.
During the Brexit negotiations, analysts at the New Economics Foundation warned that the absence of a deal on data could cost UK firms up to £1.6bn, either in compliance costs or higher prices for goods and services. Any company that shares data between the UK and EU – via payroll or health records – could be affected if Brussels decides to withdraw adequacy.
Only 12 countries, including Canada, Switzerland and New Zealand, have positive adequacy decisions from the EU. The US was deemed partially adequate, but these decisions have been thrown out twice by the European court of justice, in rulings that show how fragile the EU’s data-sharing decisions can be. The two legal victories for the privacy campaigner Max Schrems concluded the EU-US agreements on data-sharing failed to protect EU citizens from snooping by US intelligence agencies.