There are many businesses and organisations which rely on the transfer of personal data across borders.
The free flow of personal data supports trade, innovation and investment, assists with law enforcement agencies tackling crime, and supports the delivery of critical public services sharing personal data as well as facilitating health and scientific research.
On the 28 June 2021 the EU adopted two adequacy decisions for the UK, one under the General Data Protection Regulation (EU GDPR) and the other under the Law Enforcement Directive (LED). This adequacy decision allows the continued free-flow of personal data between the EU and UK for a period of four years, at which point the European Commission will review the adequacy decision. While this is a welcome development there are ongoing risks which could impact the validity of the data adequacy decision in the future.
The EU’s decision to grant the UK data adequacy status, which rightly recognises the country’s high data protection standards, means that UK businesses and organisations can continue to receive personal data from the EU and EEA without having to put additional arrangements in place.
However, having data adequacy now does not guarantee that it will always be there in future.
The data adequacy decision is unilaterally granted by the European Union and it can be revoked or revised without the need to engage with the UK.
Some of the main risks to data adequacy remaining in place include:
- Legal challenge – Data protection is a highly litigious area and the European Court of Justice (ECJ) has previously taken a hard line approach to protecting the data of EU citizens. It is possible a legal challenge of the data adequacy decision for the UK might occur in the future and therefore a risk that any decision by the ECJ could impact the EU’s decision to continue to grant the UK data adequacy status.
- Automatic renewal – In granting the UK data adequacy, the European Commission has, for the first time, included a mandatory reassessment and renewal of the data adequacy decision for the UK in four years.
- UK divergence regarding data protection laws – the adequacy decision is based on the UK’s current data protection regime, which remains relatively unchanged since EU exit. If that system or framework were to change or be altered in future then it could impact on the EU’s assessment for granting data adequacy to the UK.
The above issues present a risk of potential disruption to the data adequacy agreement in the future and therefore personal data flows between EU and UK for UK and NI businesses and public bodies. Northern Ireland businesses should maintain preparedness for the possibility of the EU-UK data adequacy being suspended, withdrawn or altered. It is therefore recommended that businesses continue to prepare for possible disruption and consider alternative measures which can be put in place in that event.
Indications of Business Preparedness
In August 2020, the Department for the Economy commissioned an online questionnaire of NI businesses to assess business preparedness for the end of transition period and a scenario where a positive adequacy decision has not been achieved.
The headline results of the 2020 online questionnaire can be seen below. Of the businesses that responded to the survey:
- 66 per cent advised that EEA data was essential for business functions
- 66 per cent thought no deal EU exit would have a big impact on their business
- 6 per cent have undertaken all actions to prepare for a no deal exit, a further 14 percent have undertaken some action
- Some 80 per cent of respondents had no contingency plans in place for cross border data transfer in a scenario where data adequacy is not achieved.
What can business do?
As a sensible precaution, businesses and organisations should maintain preparedness and seek advice on the use of alternative legal mechanisms for the continued import of data from the EU, in the event adequacy is no longer in place. It is recommended that you work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any future interruption to the free flow of EU to UK personal data.
The most common alternative legal mechanisms for transferring data from the EU into the UK are Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).
A number of links below will help guide you in seeking further guidance:
The UK Information Commissioner’s Office
The UK Information Commissioner’s Office has published guidance for business at Information Commissioners Office (ICO) website. ICO advice and guidance can be found at:
If you require further assistance, the ICO has a contact number 0303 123 1113 and a live chat function
Invest NI also has guidance on a wide variety of EU Exit issues and provided you meet the criteria you may be eligible for a grant:
The EU Exit Business Support Grant has eligibility criteria which means it is only open to existing Invest NI customers. Within the grant there is up to £25k support for ‘specialist consultancy’ that data management advice could be supported under.
Invest NI customers can also access high level specialist advice of up to 2 days with a legal services firm who can advise on data. Again this support is only available to Invest NI customers and is subject eligibility.
Currently the scheme will run until at least the end of current financial year. Any extension will be subject to review.
InterTradeIreland has published advice and provided you meet the criteria they have a £2,000 Brexit voucher scheme. Further info is available at:
The £2,000 Brexit voucher scheme, administrated by Intertrade Ireland, is subject to review in December 2021.