The Commission have issued an adequacy agreement to permit cross border data flows between the EU and the UK. Here are some notes, for an article that I’ll develop/post elsewhere. …
I say,
The Commission flagged the agreement of a data adequacy ruling earlier in the year and finally agreed it with two days to go. The parliament is more sanguine. The EDPB is also more cautious, and we expect the CJEU to be so too. Whenever the CJEU has ruled, it has ruled in favour of citizens, whereas the ECtHR gives nation states significant leeway.
Data Adequacy is important for SME’s as there are alternative means by which cross border data can be authorised, these are “standard model clauses” for inter company transfers and “binding corporate rules” for intra-company transfers. These have a not insignificant compliance cost and are easier for large companies than small but it will be less attractive for large EU based companies to deal with multiple contracts with small companies, brutally put, it is not worth the effort for them.
I also note that
Both the Commission and Parliament made much of the fact that the UK was the first country ever to leave the acquis but may have underestimated the fact that the UK never fully implemented the ’95 directive, that UK courts weakened the legal protection and that the took an expansive interpretation of member state powers defined in the GDPR Article 23 Restrictions. These are powers reserved for member states, not 3rd countries and the UK’s immigration exception means that EU citizens in the UK are not afforded all the protections of the GDPR as envisaged by the EU.