Brussels on the verge of issuing a positive data adequacy decision for UK

The European Commission could announce the decision as early as this week

The European Union (EU) is set to recommend a positive data adequacy decision for the UK after finding that Britain has sufficient measures in place to protect European users' personal data.

The Financial Times says it has seen a draft decision that will allow data to continue to flow from the EU to the UK under the same rules as it does currently, when interim measures end in June.

A final declaration by the European Commission (EC) is expected to announce the decision this week.

The decision will boost law enforcement cooperation between the EU and the UK, which had been adversely affected by Britain losing access to the European Arrest Warrant system and SIS II police database during Brexit negotiations.

The move will also come as a relief for tens of thousands of businesses in the UK - especifically those in the health, technology and insurance sectors - which share personal customer information on a regular basis and feared the worst post-Brexit.

However, the measures will be kept under review by the EC, according to the report, and will also be open to legal challenges at the European Court of Justice (ECJ). One such challenge brought to the ECJ last year (Schrems II) led to invalidation of parts of the Privacy Shield data transfer arrangements between the EU and the USA.

The European Data Protection Board must endorse the draft decision before it is passed, although does not have the power to block it.

It will also be re-examined every four years to ensure that the privacy of EU citizens is not compromised by the UK rules.

The UK currently has a temporary arrangement with the EU to allow data transfer, although a full adoption of the Commission's decision must take place before 30th June 2021.

Chris Combemale, CEO of the Data Marketing Association (DMA), said that during the pandemic period, a positive data adequacy decision will ensure that EU markets are more accessible to UK businesses.

"A positive decision on data adequacy will be a huge relief for thousands of businesses across the country who will be able to continue to market their products and services to EU customers," Combemale said.

"The DMA has been working closely with DCMS to ensure this vital component of the UK-European relationship continues and will continue to advocate for rapid conclusion of the EU approval process."

Last year, a report by the New Economics Foundation (NEF) and UCL's European Institute warned that British businesses face a massive increase in costs if a data sharing agreement is not reached with the EU. The report estimated the costs to be between £1 billion and £1.6 billion, unless the UK could show the EU that it has appropriate measures in place to protect users' data and privacy.

UK firms would be excessively affected by a no-deal Brexit, the authors said, and would likely face new legal fees. The report estimated the average compliance cost to be £3,000 for micro firms, £10,000 for small and £20,000 for medium-sized business. It also warned that the total costs could deprive businesses of investment in new technology, research and staff at a critical time. Data centres, digital technology and financial services would be badly hit in that situation.

The UK's data protection rules are currently in line with those in Europe, but Vera Jourova, EU vice-president for values and transparency, said the bloc will be keeping an eye on any backsliding when forming new trade deals. "We will need to be very vigilant that such developments do not undermine the level of protection we would have found to be adequate," she said.

Commenting on the story, Wim Stoop, CDP customer and product director at data management company Cloudera, said: "This ruling could be short-lived should the EU tweak its laws and strike agreements with other countries in the future. Businesses can't rest on their laurels and hope this day doesn't come. Instead, they have to act now to protect themselves and this starts with ensuring their data is properly managed and compliant with rules and regulations, regardless of new ones which may come into force later down the line."