Leaving the EU and the Transfer of Personal Data

Our exit from the European Union is a complex process with many moving parts to consider. One less well known but very important area that needs to be addressed is the transfer of personal data between the UK and the EU.

The movement of personal data within and across borders is now a huge part of modern digitally driven economies. This is true for a wide range of sectors including technology companies and financial services. This means that companies can streamline their processes and limit the number of office locations needed around the EU. Currently the processing of personal data is governed by the EU data protection regime, which permits the intra-EEA transfer of personal data.

When the UK leaves the EU it will no longer be under this regime and will become a third party country in regards to data protection. It is in the interests of both the UK and EU to continue the current situation of smooth transfer of personal data.

techUK and UK Finance have worked with Dentons LLP to produce a report “No Interruptions: options for the future of UK-EU data sharing relationship” which considers the potential solutions available for the UK and EU in developing a framework for managing the future flow of personal data while minimising the potential disruption for customers, businesses, law enforcement and government.

They make a number of suggestions based around the framework of mutual adequacy decisions, including:

  • The UK and the EU should begin their adequacy assessment processes as soon possible;
  • A standstill transitional arrangement should be agreed immediately;
  • The UK should ensure that its international and ‘onward transfer’ regime, including with the US, provides equivalent levels of protection to those set out in the EU’s regime.

Adequacy is a legal determination defined in EU data protection law that is given to countries deemed to have ‘adequate’ data protection standards. This replaces significant restrictions and safeguards with a general permission to move data. An adequacy assessment evaluates data protections and privacy laws, as well as security laws and international commitments to determine whether there is a level of protection of fundamental rights and freedoms that is 'essentially equivalent' to that guaranteed within the EU.

The UK has good reasons to be considered ‘adequate’ but this must not be presumed upon. The adequacy assessment processes for both the UK and EU should begin as soon as possible and furthermore a transitional arrangement should be established to allow time for these processes to take place and be implemented.

The techUK and UK Finance report helpfully concludes that, A mutual adequacy model would preserve the strong working relationships already in place between the UK and EEA and offer businesses much-needed regulatory certainty.”