It Could Take Two Years For EU To Give UK An ‘Adequacy Decision’ Under GDPR Regulations

In the Committee on Exiting the EU my questioning revealed it could take two years for EU to give UK an ‘Adequacy Decision’ under General Data Protection Regulation. This could hinder free flow of data to and from EU after Brexit. It's vital work is done now to prepare us for this process to avoid disruption.

Stephen Kinnock: Good morning. Could you just say a little bit more about what is required in order to secure an adequacy decision? What are the criteria? How is adequacy defined? Could you just unpack that a little more for us? I am not sure who would be best placed to answer that question.

Elizabeth Denham: It is clear in law. Article 45 of the General Data Protection Regulation outlines what components or considerations the European Commission will look at in making an adequacy decision or recommendation. They will look at the data protection law, the independence or not of the data protection authority, the administration of the law, the activities of national security and intelligence agencies and whether or not there was protection and redress for EU residents in that kind of scenario. We have seen some of this play out in other adequacy assessments, but under the GDPR we can expect more robust scrutiny by the European Commission under now the new law, under the GDPR. Perhaps my colleagues have something to add to that.

James Mullock: That is a very good summary. There is an adequacy mechanism also in relation to the Law Enforcement Directive, so there is a separate mechanism in relation to the sharing of information about witnesses, suspects and those involved in criminal proceedings. In terms of the points that are looked at, that was a good summary and we can talk about the process as well, which is what has traditionally taken so long. Generally these decisions take on average about two years to run through the various bodies that need to look at those criteria, but in terms of the criteria that is a good summary.

Stephen Kinnock: You are saying that, assuming that negotiations on this do not really start in earnest until we have left the European Union, you would normally expect it to take two years for us to receive that adequacy decision based on previous experience.

James Mullock: That is based on previous experience. The only exception to that was Privacy Shield, which was pushed through a lot quicker, but then people could see the court case coming and a lot of work went into the process in the run-up to the decision. Otherwise, yes, that is the average length of time.

Stephen Kinnock: There is a possible scenario there, assuming that we start in April 2019 on that process, that it would not be completed until April 2021, which is four months after the end of the transition period. What do you think would happen in that interim period? Would we be left in a vacuum or are there some other interim measures that could be taken?

James Mullock: We would be left with the other measures that the Information Commissioner mentioned, in terms of binding corporate rules, contracts and using Privacy Shield. I have seen some debate as to whether the process would have to wait until April to commence and whether it could not be commenced earlier, but to do that the various European bodies would need to be assessing what the state of UK law would be at the point of Brexit, and that might be something that they would struggle with. I guess there is the potential that you could argue that maybe an early start to the process should be possible.

Elizabeth Denham: The good news is that if the Data Protection Bill finds its way to the statute book, which is so incredibly important in this whole discussion, then on the date of exit the UK is going to be in a very good place to be able to check a lot of the adequacy boxes, and in a better state than any other third country could be.

The important thing to do would be to frontload the work and be ready for the assessment on the more difficult questions, because we are going to have equivalent law with the GDPR and the Data Protection Bill. You have a strong, independent regulator, who is administering the law of the land. We have a good story to tell when it comes to adequacy, but work could begin before that time, so that the UK is ready to have those more difficult discussions about national security, intelligence services and data. We have seen those discussions play out in the Privacy Shield assessment.

Stephen Hurley: If I might add, from a business planning perspective, from our side it is not so much that adequacy at some point in time would not be available to the UK if that is the choice the Government make. It is more the risk of a gap at some point in the process because of the time it takes. As you pointed out, there is a risk that at the end of transition there may be some period of months or possibly longer where there is no adequacy decision in place, where we have to rely on the other transfer mechanisms that the Information Commissioner mentioned.

Giles Derrington: If I may very quickly, the Prime Minister in her Munich speech said that the UK Government are ready to start some of these discussions now and the interim work. We thought that was quite sensible. We are keen to see what the next steps of that are. We do not quite know yet. Starting some of that process before we leave makes sense—at least the preparatory work—because quite a lot of this stuff is about getting the structures right for negotiations, because often you are having to discuss classified information in a non-classified process. When we have spoken to our colleagues in America, they said that one of the biggest challenges for time: setting up processes that allowed a conversation, which allowed the Commission to do a proper assessment of whether particular national security aspects were in line and were adequate.

Stephen Kinnock: I have just one final question, if I may, Chair. You are saying that the first step is for us to have the GDPR on the statute book. That is a crucial part of this process. What would you estimate would be the latest we could have or should have the GDPR on the statute book in order for all of the other dominos to fall in the way that we would want them to?

Elizabeth Denham: The GDPR has direct effect, so there is not a requirement in national law to bring in the GDPR, but what the Data Protection Bill does is completes the implementation of the GDPR and fills in the white space that member states can make decisions on, for example age of consent for children, the balance between privacy and freedom of expression and the powers of the Commissioner. The powers of the Commissioner are contained not in the GDPR, but the Data Protection Bill. It is really important that the Data Protection Bill finds its way to the statute book and also brings in the Law Enforcement Directive, which does not have direct effect. That is a directive, and it requires member state law to bring the Law Enforcement Directive into UK law. That is another very important aspect of the Data Protection Bill, which as you know is at third reading today.