Following the UK’s withdrawal from the EU at the start of 2021, the UK was left with a bridging period during which data flows could continue unhindered between the EU and the UK. Without this bridging period, the UK would have been considered a third country for data transfers – this would have resulted in restraint on data flows between the two jurisdictions. Towards the end of the bridging period, the EU issued an Adequacy Decision, confirming that the UK’s data protection regime is sufficiently equivalent to the EU’s regime.
The decision was unsurprising. Very little of the UK’s regime changed prior to and following withdrawal from the EU, meaning that it was not just equivalent to the EU’s privacy regime, but broadly identical.
However, the Adequacy Decision comes with an important caveat - the decision will last for only four years, and will have to be renewed in June 2025. Additionally, the EU is able to intervene to withdraw an Adequacy Decision at any point if it feels that the recipient’s regime has weakened. The cumulative effect of these two points means that the UK is under significant pressure to avoid degrading the protection afforded to personal data; to do so could jeopardise international data flows.
With this in mind, at the end of last year, the DCMS initiated a consultation on amendments to the UK’s data protection regime. Whilst some of these amendments would bolster the protection of the current regime, such as bringing potential fines under the Privacy and Electronic Communications Regulations 2003 in line with the UK GDPR and Data Protection Act 2018, others are arguably more concerning, such as reducing focus on enforcement for low-level complaints. We have seen the Republic of Ireland’s data protection authority come under fire for failing to properly investigate complaints and remain independent from industry, which shows that a shift away from investigating privacy complaints may not be welcomed by the EU.
For more information on this article, please contact Hannah Pettit.