17 Dec 2020

Deal or no deal, we urgently need a solution to protect EU-UK data flows post-Brexit

DIGITALEUROPE, representing over 36,000 digital and digitalising companies, calls for a swift agreement on data adequacy that would allow the continued free flow of personal data across the channel.

Director-General of DIGITALEUROPE Cecilia Bonefeld-Dahl said:

“If negotiators reach an agreement on a trade deal before 31 December, we will all let out a huge sigh of relief. But the job is not yet done.

Thousands of companies in the EU and the UK face legal uncertainty if there is no agreement on the transfers of personal data, at a time when they need it the least.

According to our latest survey, six out of ten European businesses transfer data between the EU and the UK. Not just tech companies, but manufacturers, retailers and finance too. Their business operations are in jeopardy if no solution is found.

The recent Schrems II ruling shows shows that transferring personal data in and out of the EU without a data adequacy agreement can be a tricky business. Companies will face new hurdles and restrictions to doing business. Nine out of ten surveyed post-Schrems 2 said the costs of complying with the new rules have been moderate or high.

Deal or no deal, we urgently need a stable solution to protect EU-UK data flows post-Brexit. If the adequacy process cannot be finalised by 31 December, the European Commission and the UK Government should remain flexible to identifying arrangements, such as a memorandum of understanding between data protection regulators, to avoid even a temporary cliff-edge situation for companies on both sides.”

Read DIGITALEUROPE’s latest survey

Schrems 2 data transfers survey: 85% of companies in Europe use standard contractual clauses

Adequacy preserves the autonomy of both parties

The political declaration between the two sides notes that the UK will establish its own international transfer regime and that a positive adequacy decision, if reached, would not affect the UK and EU’s autonomy over their respective personal data protection rules. The EU will conduct a review of the UK’s adequacy status at least every four years, which will take into account all relevant developments, this does not limit the legislative ability of the UK or the EU. These points have been noted in the respective parties negotiating objectives.

The UK will also review the EU and Member States under its own international transfers regime.

A failure to achieve adequacy will create regulatory risk for companies based in the EEA

In preparations for a no deal scenario the UK Government said that it would automatically recognise the EEA as adequate. This means that outbound transfers from the UK to the EU would not require appropriate safeguards, however inbound transmissions from the EEA to the UK would. In this event companies based in the EEA would need to implement appropriate safeguards to transfer data to the UK. Failing to do so could result in investigations and fines from national data protection authorities.

If the same steps were taken as before, in the event of a failure to achieve adequacy UK companies would have a greater degree of certainty, with the regulatory risk falling on EEA to UK data exporters.

Adequacy does not prevent either party from negotiating digital trade chapters in future free trade agreements

New Zealand holds an EU adequacy decision while also being a signatory of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTTP). Japan also holds an EU adequacy decision while being party to agreements and negotiations which cover digital trade, such as the CPTTP and the U.S.-Japan Digital Trade Agreement and the EU-Japan agreement.

A loss of adequacy will disproportionately affect SMEs

TechUK’s 2019 survey of members highlighted that UK SMEs were significantly more likely to be impacted by no deal implications – including not achieving adequacy. More than half of small businesses (under 50 staff) and one third of medium-sized business (between 50 and 250 staff) had not taken active steps to prepare for no deal in August ahead of a presumed no deal exit on 31 October.

Anecdotal evidence suggests that levels of preparations within the UK have not increased much beyond this point, while among the EU 27 there is recognition that many companies are not aware of the adjustments they would need to make to continue legal personal data transfers to the UK.

Background

The revised Political Declaration agreed between the European Union and the UK Government sets the terms for the future of EU-UK personal data flows based on the EU’s adequacy process.

The latter requires an assessment to be conducted at the request of the European Commission of the UK’s data protection rules. The European Data Protection Board (EDPB) also provides its opinion to the Commission and EU Member States. Once UK standards are deemed to meet the required high standards, the Commission will propose an implementing act to adopt an adequacy decision.

Adequacy is a separate process that sits outside the central negotiations around the EU-UK free trade agreement (FTA). Achieving adequacy should be a mutual goal for both parties EU and does not impinge on the aims set out by either the European Council or UK Government in their respective negotiating objectives.

For more information, please contact:
Chris Ruff
Director for Political Outreach & Communications
Policy Paper 16 Apr 2021
DIGITALEUROPE’s guiding points on the work of the Commission’s Industrial Forum
Policy Paper 13 Apr 2021
DIGITALEUROPE’s recommendations for the Data Governance Act
Policy Paper 12 Apr 2021
Critical entities: ensuring coherence of non-cyber and cyber resilience
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept