EU rules UK data protection is ‘adequate’ in boost for business

Decision that allows information to continue to flow to and from UK could be revoked ‘immediately’

British data protection standards are “adequate”, the EU has ruled in a long-awaited decision that lets digital information continue to flow between the UK and the bloc. But Brussels warned Boris Johnson’s government the decision could be revoked “immediately” if it sees weakening UK standards.

Failure to get a positive decision would have risked plunging British businesses into disarray, leaving industries from banking to logistics scrambling to set up more costly, bureaucratic alternatives to share data.

The UK will retain “adequate” status for four years, but the commission warned that could be withdrawn at any time if UK law was no longer deemed to offer EU citizens protection over how their data was used.

The European Commission vice-president Věra Jourová said: “The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today.”

She added that the commission had listened “very carefully” to concerns expressed by the European parliament, EU members and the European Data Protection Board, “in particular on the possibility of future divergence from our standards in the UK’s privacy framework”.

Under pressure from the European parliament, the commission put a four-year sunset clause on the adequacy decision, a safeguard applied to no other country, which reflects mistrust of the British government’s ability to protect EU citizens’ data.

Didier Reynders, the European commissioner in charge of data protection, said the adequacy decision could be withdrawn “immediately” if the commission had serious concerns.

“Of course we have a procedure and we will give the opportunity to the UK to react and to explain what are the possible solutions, if we have a problem,” he said. “But if there is a real urgency this can be done immediately. So it’s possible to stop the process or to suspend or amend if we have real concerns. It’s a unilateral decision of the commission to do that.”

John Foster, the director of policy at the Confederation of British Industry, said the breakthrough in the EU-UK adequacy decision would be welcomed by businesses across the country. “The free flow of data is the bedrock of modern economy and essential for firms across all sectors – from automotive to logistics – playing an important role in everyday trade of goods and services.”

The digital secretary of state, Oliver Dowden, said: “After more than a year of constructive talks, it is right the European Union has formally recognised the UK’s high data protection standards.”

During the Brexit transition period, the government largely copied key EU legislation into the UK statute book, notably the landmark General Data Protection Regulation (GDPR) and the Law Enforcement Directive, which governs data sharing in police and law enforcement.

Brexiters on the Tory backbenches are pressing Boris Johnson to ditch the “prescriptive and inflexible” GDPR. A taskforce set up by Downing Street to “seize new opportunities from Brexit” said GDPR should be replaced with UK laws on data protection. The EU’s GDPR “overwhelms people with consent requests and complexity they cannot understand while unnecessarily restricting the use of data for worthwhile purposes”, states the taskforce report drawn up by Iain Duncan Smith, Theresa Villiers and George Freeman.

The group said consumers needed stronger rights, while data should be “free[d] up” to allow the UK to capitalise on artificial intelligence and data-driven healthcare. The prime minister promised to give their report “the detailed consideration it deserves”.

During the Brexit negotiations, analysts at the New Economics Foundation warned that the absence of a deal on data could cost UK firms up to £1.6bn, either in compliance costs or higher prices for goods and services. Any company that shares data between the UK and EU – via payroll or health records – could be affected if Brussels decides to withdraw adequacy.

Only 12 countries, including Canada, Switzerland and New Zealand, have positive adequacy decisions from the EU. The US was deemed partially adequate, but these decisions have been thrown out twice by the European court of justice. The two legal victories for the privacy campaigner Max Schrems concluded the EU-US agreements on data-sharing failed to protect EU citizens from snooping by US intelligence agencies.


Jennifer Rankin in Brussels

The GuardianTramp

Related Content

Article image
New UK data protection rules are a cynical attack on immigrants | Claude Moraes
Non-nationals in the UK will lose data rights in a discriminatory move that worries the European parliament, says Claude Moraes, a Labour MEP

Claude Moraes

05, Feb, 2018 @10:00 AM

Article image
Ministers risk judicial review of plan to deny immigrants data access
Campaign groups say clause preventing access to records will make EU citizens ‘second class’

Lisa O'Carroll Brexit correspondent

09, May, 2018 @5:00 AM

Article image
Home Office plans to deny immigrants access to data 'are illegal'
Digital rights campaigners threaten legal action if data protection bill clause is enacted

Owen Bowcott Legal affairs correspondent

05, Mar, 2018 @11:58 AM

Article image
What is GDPR and why does the UK want to reshape its data laws?
The government says an overhaul will boost growth and increase trade – but it must be careful not to go too far

Alex Hern Technology editor

26, Aug, 2021 @12:47 PM

Article image
Tech firms like Facebook must restrict data sent from EU to US, court rules
Long-running legal saga finds inadequate protections against snooping on personal data by US intelligence agencies

Alex Hern

16, Jul, 2020 @11:30 AM

Article image
European parliament approves tougher data privacy rules
‘Groundbreaking’ changes strengthen EU privacy protections, enshrine right to be forgotten and give regulators wide-reaching powers

Samuel Gibbs

14, Apr, 2016 @12:22 PM

Article image
EU data protection law may end up protecting scammers, experts warn
WHOIS, one of oldest tools on internet for verifying real identities, at risk of being killed due to tough new GDPR regulations

Alex Hern

06, Feb, 2018 @12:50 PM

Article image
EU agrees draft text of pan-European data privacy rules
New rules will strengthen European citizens’ privacy protections, while a controversial proposal to raise ‘age of digital consent’ to 16 was devolved to member states

Samuel Gibbs and agencies

16, Dec, 2015 @11:30 AM

Article image
UK to overhaul privacy rules in post-Brexit departure from GDPR
Culture secretary says move could lead to an end to irritating cookie popups and consent requests online

Alex Hern

26, Aug, 2021 @9:19 AM

Article image
Facebook refuses to promise GDPR-style privacy protection for US users
Firm working on version of EU data protection law but Mark Zuckerberg stops short of promising all changes will apply to US users

Alex Hern

04, Apr, 2018 @9:44 AM