EU formally grants UK 'data adequacy' but legal challenges likely

Announcement comes as UK opens digital trade negotiations with Singapore

The European Commission today gave the UK 'adequate' status with respect to data protection regulations. The decision, which was widely trailed, means that data transfers between the UK and EU countries can continue as before.

"This will be welcome news to businesses, support continued co-operation between the UK and the EU and help law enforcement authorities keep people safe," said digital secretary Oliver Dowden. "We will now focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people's safety and privacy."

However, the EC's decision was made in the face of opposition from a majority of MEPs who voted for an amendment, regulators and privacy groups, who argued that the UK's surveillance laws and treatment of immigrants' personal data should make it ineligible.

The adequacy arrangement is not permanent. It is limited to four years and will be contains a sunset clause, which has been included for the first time. After that period, it will be renewed provided the EU is "satisfied that a sufficient degree of data protection remains".

Should the UK diverge significantly from the GDPR, adequacy could well be challenged before that, said Bill Mew, a lawyer and CEO of management consultancy The Crisis Team. Mew cited the Schrems II ruling by the European Court of Justice which struck down the Privacy Shield data transfer agreement between the EU and the US last year, saying the legal realities and the political realities are similarly out of step in this case.

"The political reality is that the decision was given in favour of the UK, but this could be overturned by the legal realities if it is challenged at any point, and I think it inevitably will be," Mew said, on a GRC Forums panel discussion last Tuesday. "The political decision was made in the face of some legal realities that were chosen to be ignored."

Indeed, recent signals coming from the UK government indicate a desire to move away from the GDPR, with the TIGRR report by three conservative MPs suggesting alterations to provisions such as Article 5, which restricts the collection of personal data to "specified, explicit and legitimate purposes," and restrictions they argue hinders the development of AI; and Article 22 which covers the right of individuals not to be subject to a decision based solely on automated processing.

Back in March, Dowden suggested that Britain needs to "take a slightly less European approach to data privacy". The impetus behind these suggestions is to make it easier to make trade deals with nations such as the US, India and China which have less stringent data protection rules.

Yesterday the government announced it is negotiating a digital trade deal with Singapore.

UK international trade secretary Liz Truss said: "A cutting-edge deal with Singapore will keep us at the forefront of the technological revolution, ensuring we lead the way in digitally delivered trade and industries like fintech and cybersecurity.

"Our ambition is to make the UK a global hub for services and digital trade, by striking a series of advanced, high-standards agreements with leading nations across the world that drive productivity, jobs, and growth across the UK."