While the EU has just green-lit the free movement of personal data with the UK, the latter is already asserting its willingness to move away from the European GDPR, considering it an obstacle to innovation and efficiency. After long and difficult negotiations to obtain these equivalences, it seems that the UK is testing the limits of the EU.
Indeed, until the 1st of July, the UK remains in a transitional phase in terms of data protection regulations. This six-month transition period has been set from the 1st of January and aims at determining whether or not UK’s data regulation is equivalent enough to the EU’s GDPR. In brief, ‘adequacy’ is a term that the EU uses to describe other countries, territories, sectors, or international organisations that it deems to be providing an ‘essentially equivalent’ level of data protection to that which exists within the EU (Information Commissioner Office).
Now that we know what the outcome of this transitional phase is, let us consider what would have happened if this had not been the case.
The no adequacy scenario
Since the UK has already declared the EU data protection law adequate, data flows from the UK to EU countries would not have been directly impacted by this decision.
Without an adequacy decision, UK companies would have to operate under specific contracts, known as standard contractual clauses (SCCs), to ensure that they are processing EU citizens’ data in accordance with the law. The estimated cost of these contracts is over £1.5 billion, and it seems that small businesses would have been the first casualties. Globally, the whole economy would be affected, as the volume of personal data that is exchanged between the UK and the EU is substantial and extends to virtually all sectors.
The support of the 27 EU member states for the adequacy decision is therefore a clear relief for the UK which obtains the right to receive and process the personal data of EU citizens.
Are these negotiations already inadequate?
The recently approved adequacy decision only applies to the UK data regulation as it is currently written (known as the UK GDPR). But should this change, the EU has made it clear that it may reassess its decision and withdraw the agreement. However, over the last few months, the UK has made it clear that it wants to seize the opportunity of Brexit to depart from European regulation in order to stimulate growth and innovation.
In the face of these twists and turns, Estelle Massé, senior policy analyst and head of data protection at digital rights organisation Access Now, states: “ It’s very disappointing to work so hard to get this deal and then, when you’re about to get it, to tell the EU that it might change, » « It’s a really difficult diplomatic game – almost as if the UK was testing the EU’s limits ».
The next few months should therefore be crucial in revealing the extent to which the UK intends to change its regulation and how the EU will respond.
 Leprince-Ringuet Daphne Leprince-Ringuet | Modifié le mardi 22 juin 2021 à 18:56, Daphne. “RGPD : Une Décision D’adéquation Est Octroyée Au Royaume-Uni (Pour Le Moment).” ZDNet France, 22 June 2021, www.zdnet.fr/actualites/rgpd-une-decision-d-adequation-est-octroyee-au-royaume-uni-pour-le-moment-39924967.htm.
Leprince-Ringuet Daphne Leprince-Ringuet | Modifié le mardi 22 juin 2021 à 18:56, Daphne. “RGPD : Une Décision D’adéquation Est Octroyée Au Royaume-Uni (Pour Le Moment).” ZDNet France, 22 June 2021, zdnet.fr/actualites/rgpd-une-decision-d-adequation-est-octroyee-au-royaume-uni-pour-le-moment-39924967.htm.
Bohic, Clément. “RGPD : Les 27 Disent Oui Au Royaume-Uni.” Silicon, Silicon, 17 June 2021, silicon.fr/rgpd-oui-royaume-uni-410586.html#.