UK-EU agree six-month ‘data adequacy’ bridge

18 February 2021

Enterprises can keep data flowing to and from the European Union (EU) as normal post Brexit, thanks to a temporary solution that will keep the current rules in place for several months.

The bridging period of up to six months has been agreed to ratify a data “adequacy” agreement to allow for the continued free flow of personal data between the UK and the bloc.

A vote in the House of Commons saw a majority of 448 ( 521 votes to 73) approve legislation to pass the EU-UK post-Brexit deal that was announced on Christmas Eve into UK law. Data adequacy is an EU process to certify that a country, or a specific industry within a nation, meets equivalent standards to the bloc’s rules on data protection.

Paul German, chief executive officer at Certes Networks, which delivers data security technology solutions to enterprises and governments worldwide, told Networking+ what this arrangement was designed to achieve.

“Data adequacy is just a way to measure the data security controls/regulations in non-EU countries who trade with EU data and it is absolutely the right thing to do to ensure the PII data of both countries/states are protected by enforceable regulation that has a common set of goals, objectives and outcomes,” he said. “This is nothing new but just simply applies to the UK now we are no longer part of the EU; however, because we were part of the EU we have the necessary GDPR controls in place and as such will only be affected should there be a material change in the GDPR guidelines, which I don’t think is going to happen in the next six months.”

German added that once that period ends, he expects to see a set certifications/regulations and guidelines implemented by a body like the Information Commissioner’s Office, that allows the regulations and controls implemented in each country to be easily measured against one another. “This will be in the interest of finding an alignment that would allow easy establishment of parallel controls/practices that would ensure equal handling of each other’s sensitive data,” he said.

Reinout Bautz, general counsel at Zivver, the email data protection specialist told Networking+ how “incredibly important” it was for the UK and EU to agree the deal.

“The agreement is a standstill period, which essentially offers the EU more time to issue a so-called adequacy decision, which shall permit a cross-border data transfer outside the EU, or onward transfer from or to a party outside the EU without further authorisations or safeguards being required, Bautz said. “At first it was very doubtful whether the EU would speed up the process of issuing such an adequacy decision within time. However, it is now anticipated that the six-month period under the adequacy agreement provides ample time to take the necessary decisions. Given the economic interdependence and extensive data transfer between the EU and UK it is pivotal that such an adequacy decision will be in place prior to expiration of the agreement and therefore the UK will not just be seen as a ‘third country’ under the GDPR (with all its consequences). 

A number of organisations had been hoping for a deal to be signed sooner rather than later and TechUK chief executive officer Julian David said the wider tech sector have been highlighting the importance of a data adequacy agreement since the day after the 2016 referendum. “Data adequacy is so important, not just because of the economic costs of failing to reach an agreement, estimated to be around £1.6bn to the UK economy, but because of the high level of integration between UK and EU tech companies, a partnership which this year has helped achieve a record $41bn invested in UK and European companies,” he said.