• Contact DPO Centre
  • 0203 797 1289
  • hello@dpocentre.com
DPO CentreDPO CentreDPO CentreDPO Centre
  • Services
    • Outsourced Data Protection Officer
    • Article 27 EU and UK Representation
    • Consultancy
    • Interim Data Protection Officers
    • Return to Work Compliance Check
    • Training
    • Advice Line
    • The Data Security and Protection Toolkit (DSPT) Audit
    • Caldicott Guardians
    • Services for Schools
  • Sectors
    • Finance &
      Insurance
    • Medical &
      Healthcare
    • Software &
      Technology
    • Retail &
      eCommerce
    • Data Protection for Education
    • Charities &
      not-for profit
  • Case Studies
  • About Us
    • About Us
    • Our Team
    • Benefits of Outsourcing
    • *Join the Team*
    • Events
    • News
  • Blog
  • Resources
    • UK Data Protection Index
    • DSAR White Paper
    • CCTV White Paper
    • COVID-19 Remote Working Tips
    • GDPR Basics
    • Why you need a Data Protection Officer
    • Why you need GDPR Representation
    • GDPR Policy Toolkit
    • The impact of Brexit on GDPR
    • The Full GDPR Text
  • Contact us
  • * Join Us *
  • Home
  • Data Sharing Adequacy
  • What is Adequacy?
EUDP Guidance Controller Processor Blog
Updated EDPB Guidance on Controllers and Processors – Part 1
January 11, 2021
Updated EDPB Guidance on Controllers and Processors – Part 2
February 5, 2021

What is Adequacy?

January 25, 2021
Categories
  • Adequacy
  • Data Protection
  • GDPR
Tags

Adequacy, the word that has been on everyone’s lips – well, perhaps not everyone’s.

Throughout the UK’s transition period out of the EU, the media has been filled with talk of fishing rights, import and export tariffs, and free movement of people. Meanwhile, those in the data protection world have been debating how Brexit will impact the free movement of data. In every debate on this topic, the word adequacy will invariably arise, described as the ideal solution to guarantee the free flow of data between the EU and UK. However, what does ‘Adequacy’ actually mean? This blog attempts to provide some clarity on just that.

What is adequacy and why is it important?

Adequacy, or Data Adequacy, is a status that the European Commission can grant to countries that are not part of the European Economic Area (EEA). To be deemed adequate, countries outside of the EEA (known as third countries) must provide a level of personal dataInformation which relates to an identified or identifiable natural person.... protection that is ‘essentially equivalent’ to the protection provided in EU law. In other words, the European Commission must be satisfied that EU residents’ personal data will be just as protected within the third country, as it is in the EU.

Currently, the European Commission have deemed 12 countries adequate:

  • Andorra
  • Argentina
  • Canada
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay

 

When a country is deemed adequate, personal data is able to flow freely between it and the EEA, with no extra precautions required. From a UK perspective, imports and exports of both goods and services rely heavily on the guaranteed free flow of personal data to and from the EU. The Department for Digital, Culture, Media & Sport estimates that EU personal data-enabled services exports from the UK to the EU are worth approximately £85 billion, and similar exports from the EU to the UK approximately £45 billion. Therefore, it is vital that this free flow of data continues.

If not deemed adequate, organisations will have to provide additional safeguards in order to transferThe movement of data from one place to another, this could be, for example, from one data controller to another, or from one jurisdiction to another.... personal data to and from the EU and processA series of actions or steps taken in order to achieve a particular end.... the personal data of EU residents. This will be costly, so may impact UK organisations’ ability to be competitive within the market when up against their European counterparts that do not have the same expenditures.

Will the UK be deemed adequate?

Although the UK has transposed the GDPR into its domestic law (the ‘UK GDPR’ entered into force on the 1st of January 2021), this does not guarantee adequacy. A potential stumbling block comes in the form of national security legislation, such as the Investigatory Powers Act 2016.

In two recent cases, the CJEU ruled to restrict the grounds for mass data retentionIn data protection terms, a defined period of time for which information assets are to be kept.... for surveillance purposes. In the future, governments will only have grounds for mass data retention where they face a ‘serious threat to national security’. This does not align with the provisions within the Investigatory Powers Act, which allows for wider surveillance, albeit with safeguards in place. This is problematic because following the Court’s judgment, national security legislation can now be taken into account by the European Commission when making an adequacy assessment, putting an Adequacy decision in the UK’s favour in doubt.

What is the situation now?

The UK left the EU on 31st December 2020, however, the Brexit deal that has been agreed has provided a bridge period of up to six months whereby the existing rules on data transfers between the UK and EU will remain in place. The hope is that by June 2021 the European Commission will have granted the UK adequacy, thus avoiding any disruption to data flows.

So, at present, personal data can still flow freely between the EU and the UK without any additional safeguards in place. Whilst no additional transfer safeguards are needed as of yet, not all GDPR obligations have stayed the same since 1st January.

Article 27

Since the UK has now formally left the EU,  organisations that were previously exempt from complying with Article 27 because they had an establishment in the UK will now have to appoint an EU Representative. This means that if your organisation has a presence in the UK but not in the EU, and regularly processes the personal data of EU citizens, you will now be in breach of your GDPR obligations if you have not appointed an EU Rep.

Similarly, the UK GDPR, which has its own Article 27, came into force on 1st January 2021. Therefore, if your organisation regularly processes the personal data of UK citizens but does not have a presence within the UK, you are now required to appoint a UK Representative.

As the UK is now a 3rd Country in respect of EU data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data.... (and vice versa), Article 27 applies in both of these scenarios, irrespective of an adequacy decision.

Conclusion

There is no guarantee that after this bridging period the UK will be deemed adequate and personal data will be allowed to flow freely; nor is there any certainty that the European Commission will have come to a decision on this point by June 2021. Currently, the fastest adequacy assessment took 18 months for Argentina, but some have taken up to five years.

It is therefore recommended by the ICO that organisations should plan for the possibility that the UK will be deemed inadequate, if they wish to continue processing EU data subjects’ data past the 30th of June. However, perhaps more urgently, organisations must also consider, if they have not already, whether they are required to appoint an EU or UK Representative.

Enquire

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us

 

Email Call

Share

Related posts

February 22, 2021

EU & UK GDPR Representation for sponsors of European clinical trials


Read more
February 8, 2021

New EDPB guidance clarifies when you should report a data breach, sort of…


Read more
February 5, 2021

Updated EDPB Guidance on Controllers and Processors – Part 2


Read more

Contact us

The DPO Centre Ltd
Head Office: 50 Liverpool Street, London, EC2M 7PR
The DPO Centre (Europe): Alexandra House, 3 Ballsbridge Park, Dublin, D04 C7H2, Ireland
Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ
Telephone: +44 (0) 203 797 1289
Company Number: 10874595 VAT: GB 275694357

More information

  • Contact us
  • Sitemap
  • Privacy Policy
  • Cookie Notice

 

© 2021 DPO Centre. All Rights Reserved.