British data protection standards are “adequate”, the EU has ruled in a long-awaited decision that lets digital information continue to flow between the UK and the bloc. But Brussels warned Boris Johnson’s government the decision could be revoked “immediately” if it sees weakening UK standards.
Failure to get a positive decision would have risked plunging British businesses into disarray, leaving industries from banking to logistics scrambling to set up more costly, bureaucratic alternatives to share data.
The UK will retain “adequate” status for four years, but the commission warned that could be withdrawn at any time if UK law was no longer deemed to offer EU citizens protection over how their data was used.
The European Commission vice-president Věra Jourová said: “The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today.”
She added that the commission had listened “very carefully” to concerns expressed by the European parliament, EU members and the European Data Protection Board, “in particular on the possibility of future divergence from our standards in the UK’s privacy framework”.
Under pressure from the European parliament, the commission put a four-year sunset clause on the adequacy decision, a safeguard applied to no other country, which reflects mistrust of the British government’s ability to protect EU citizens’ data.
Didier Reynders, the European commissioner in charge of data protection, said the adequacy decision could be withdrawn “immediately” if the commission had serious concerns.
“Of course we have a procedure and we will give the opportunity to the UK to react and to explain what are the possible solutions, if we have a problem,” he said. “But if there is a real urgency this can be done immediately. So it’s possible to stop the process or to suspend or amend if we have real concerns. It’s a unilateral decision of the commission to do that.”
John Foster, the director of policy at the Confederation of British Industry, said the breakthrough in the EU-UK adequacy decision would be welcomed by businesses across the country. “The free flow of data is the bedrock of modern economy and essential for firms across all sectors – from automotive to logistics – playing an important role in everyday trade of goods and services.”
The digital secretary of state, Oliver Dowden, said: “After more than a year of constructive talks, it is right the European Union has formally recognised the UK’s high data protection standards.”
During the Brexit transition period, the government largely copied key EU legislation into the UK statute book, notably the landmark General Data Protection Regulation (GDPR) and the Law Enforcement Directive, which governs data sharing in police and law enforcement.
Brexiters on the Tory backbenches are pressing Boris Johnson to ditch the “prescriptive and inflexible” GDPR. A taskforce set up by Downing Street to “seize new opportunities from Brexit” said GDPR should be replaced with UK laws on data protection. The EU’s GDPR “overwhelms people with consent requests and complexity they cannot understand while unnecessarily restricting the use of data for worthwhile purposes”, states the taskforce report drawn up by Iain Duncan Smith, Theresa Villiers and George Freeman.
The group said consumers needed stronger rights, while data should be “free[d] up” to allow the UK to capitalise on artificial intelligence and data-driven healthcare. The prime minister promised to give their report “the detailed consideration it deserves”.
During the Brexit negotiations, analysts at the New Economics Foundation warned that the absence of a deal on data could cost UK firms up to £1.6bn, either in compliance costs or higher prices for goods and services. Any company that shares data between the UK and EU – via payroll or health records – could be affected if Brussels decides to withdraw adequacy.
Only 12 countries, including Canada, Switzerland and New Zealand, have positive adequacy decisions from the EU. The US was deemed partially adequate, but these decisions have been thrown out twice by the European court of justice. The two legal victories for the privacy campaigner Max Schrems concluded the EU-US agreements on data-sharing failed to protect EU citizens from snooping by US intelligence agencies.
