Do the Proposals for the UK’s New Data Protection Regime Endanger its “Adequacy”?

10/09/2021 Data transfers have become increasingly complex following the Schrems II judgement and the subsequent EDPB Recommendations. Unfortunately, the recent consultation document released by the UK’s Department for Digital, Culture, Media & Sport regarding the Post Brexit UK’s data protection regime does not appear to make things any clearer for organizations operating in the EU & UK. If you manage one of these organizations or are simply interested in the rapidly developing topic of data transfers, read our blog below.

The UK’s Current Data Protection Regime

After the Brexit transition period, the UK essentially retained the EU GDPR within their national laws, known as the “UK GDPR”. Together with the amended Data Protection Act 2018, the UK GDPR represents the current post-Brexit UK data protection regime. Although the UK shares an essentially equivalent GDPR to the EU for now, the UK is entitled to diverge from EU data protection law through statutory reform.

Data Transfers under the EU GDPR

The EU GDPR charges data exporters’ the responsibility of ensuring an equivalent level of data protection between the EU and the third country of destination. Organizations are required to verify the appropriate transfer tool to facilitate their transfer. Failing the existence of an EU Adequacy Decision, organizations must rely on one of the Art. 46 EU GDPR Transfer Tools such as Standard Contractual Clauses (“SCCs”), Binding Corporate Rules (“BCRs”), or, in minimal and exceptional circumstances, they can rely on one of the Art. 49 EU GDPR derogations.

 The Current Adequacy Decision between the EU & UK

The European Commission on 28 June 2021 adopted an EU Adequacy Decision concerning post-Brexit UK. This decision recognized the national laws of the UK as providing a level of data protection essentially equivalent to the EU, thereby allowing for personal data to flow freely from the EU to the UK. However, this Adequacy Decision has a novel element in the form of a four-year sunset clause. Essentially, the decision of the European Commission is only valid for four years, after which it must be actively renewed if it’s determined that the UK’s national laws still provide an equivalent level of data protection. The sunset clause, therefore, creates a strong incentive for the UK to keep its data protection regime in line with EU standards in order for the UK Adequacy Decision to be renewed.

Proposed Changes to the UK data protection regime

On 10 September 2021,  however, the UK’s Department for Digital, Culture, Media & Sport released a consultation document containing various proposals that would alter significant aspects of the UK’s data protection regime. In their own words, “Outside of the EU, the UK can reshape its approach to regulation and seize opportunities with its new regulatory freedoms, helping to drive growth, innovation, and competition across the country.”

 The consultation document suggests a more flexible approach to data transfers than currently offered in the EU. Among these proposals are the following:

1. Providing organizations more flexibility to use alternative transfer tools in addition to the ones provided in Art. 46 UK GDPR (like SCCs and BCRs);
2. Allowing the Secretary of State to unilaterally create or recognize new alternative transfer tools; and
3. Increasing flexibility around organizations' reliance on Art. 49 UK GDPR derogations by explicitly permitting the use of repetitive derogations (note that, in contrast, the repetitive use of derogations is expressly restricted under the EU GDPR).

It is good to point out that the consultation document is not limited to data transfers alone. Whilst a number of other proposals reflect minor clarifications aimed at addressing existing uncertainties within the current UK GDPR, there are proposals which would result in a significant divergence from the current UK data protection regime. Below we have listed some of the more significant proposals outside of data transfers.

1. The introduction of a cost limit to Data Subject Access Requests (“DSAR’s”)

• This would allow organizations to refuse DSAR’s that would cost over a certain amount. The intention of this proposal is to protect organizations from “weaponized DSAR’s.”

2. The removal of the Data Protection Impact Assessments requirement

• This would allow organizations to adopt personalized approaches to identify data protection risks that better suit their specific circumstances.

3. Granting additional powers to the UK Information Commissioner’s Office (“ICO”)

• This would permit the ICO to commission independently produced technical reports and grant them the ability to compel witnesses.

4. The introduction of “Privacy Management Programmes.”

• This programme aims to implement the UK GDPR’s accountability principle in a more flexible and risk-based accountability framework.

What Could This Mean?

For the moment, these proposals are precisely that, proposals. It would be too early to speculate what actual implications these proposed changes would have on businesses operating in the EU & UK. Nonetheless, the proposed changes have in general been welcomed in the UK by both business owners and the ICO. In their response to the DCMS’s consultation, the ICO welcomed any discussion of possible approaches allowing organizations to continue importing and exporting personal data easily while simultaneously maintaining the high data protection standards that protect the British people. The ICO explicitly stated its support for the introduction of alternative transfer tools.

However, the ICO did also stress the need for more detail from the DCMS concerning how these proposed transfer tools would work in practice. The worst-case scenario for parties  concerned would be if the European Commission interpreted the increased flexibility of the UK’s data protection regime as lowering the overall standard of data protection within the UK. Such developments could potentially endanger the validity of the current UK Adequacy Decision granted by the EU. In the words of the ICO, “Stakeholders, particularly UK businesses, have [..] consistently stressed to the ICO how important it is for them to secure and retain the UK’s adequacy status with the EU.” For now, we can only wait to see how these developments unfold.

Considerati will pay close attention to this issue and provides tailor-made advice to affected organizations as developments occur. If your organization is uncertain how to handle the current developments related to data transfers or is looking for advice on how to implement these developments, please contact us.