Question to the Department for Digital, Culture, Media & Sport:

To ask the Secretary of State for Digital, Culture, Media and Sport, what assessment he has made of (a) the likelihood of the EU granting a positive data adequacy decision, (b) the likelihood of a positive data adequacy decision being made within the next six months and (c) the effect on UK industry in the event that a positive adequacy decision is not taken before the end of transitional measures.

(a) The UK has been in formal talks with the European Commission since March 2020 to secure data adequacy decisions under both the General Data Protection Regulation and the Law Enforcement Directive. The EU’s adequacy assessments ascertain whether UK data protection standards are ‘essentially equivalent’ to the EU’s. Given we have an existing data protection framework that is equivalent to the EU’s, we see no reason why the UK should not be awarded adequacy.

(b) The EU left insufficient time to adopt data adequacy decisions before the end of the transition period. We have therefore agreed with the EU a time-limited ‘bridging mechanism’ which will allow personal data to continue to flow as it does now whilst EU adequacy decisions for the UK are adopted. In practice, we do not expect the bridging mechanism to be in place for more than 4 months, which is when the bridge is envisioned to expire, but there is scope to extend it to 6 months if required. As stated above, given the UK has an existing data protection framework that is equivalent to the EU’s, we see no reason why the UK should not be awarded adequacy in this timeframe.

(c) In the event that positive adequacy decisions are not ratified before the end of the bridging mechanism, businesses would be able to use alternative legal mechanisms to continue to transfer personal data from the EU to the UK. Standard Contractual Clauses (SCCs) are the most common legal safeguard and will be the relevant mitigation for most organisations. As a sensible precaution, before and during the bridging mechanism, businesses should consider putting in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.