As is traditional at this time of year, declarations and plans for the future are made…the EU Commission is no exception to this.
On 10th January 2020, the Council Working Party (Article 50) published slides for presentational and information purposes concerning the topic of the “ruling of adequacy” to make the UK a safe place to transfer Personal Data once the UK leaves the European Union (EU). Whilst the UK Government have been stating their intent to request such a ruling for some time, this clarification and outline of the process will come as a relief to businesses within the UK that rely on free transfers of data, for example those in the telecoms, technology, and financial services industries.
In summary, if the UK withdraws from the EU with agreement on 31st January 2020 there will follow an 11 month transition period which will allow for:
- Adoption of negotiating directives;
- Conduct of negotiations;
- Signature/conclusion and entry into force of future agreement by 1st January 2021
In other words, the assessment of the UK privacy framework will commence with a view to providing an adequacy decision under the General Data Protection Regulation (GDPR) by the end of 2020.
The slides presented set out the steps to adopt the adequacy decision:
- Assessment by the Commission, in close cooperation with the UK
- Draft Commission decision (Implementing Act)
- Opinion by European Data Protection Board
- Comitology: vote by Member States (qualified majority) in the Standing Committee
- Adoption by the College
At the same time as this negotiation, the UK have also committed to ratify data transfers to the EU from the UK as “safe”.
Of course there is still a risk that the ruling of adequacy may falter: the UK may not achieve its goals during the 11 month transition period and be left with a “no-deal” scenario. If that were to occur, UK businesses would need to enter into standard contractual clauses with their EU based counterparts to evidence “safe” transfers: one way or another data transfers will occur in line with GDPR requirements.
To conclude, the information presented by the Council Working Party (Article 50) is good news. With a ruling of adequacy in place businesses will not have to enter into administratively burdensome standard contractual clauses and can instead rely on the ruling which preserves the status quo i.e. the free flow of personal data between the UK and the EU.