The Brexit negotiations were tough and, since the UK left the European Single Market and the Customs Union at the turn of the year, delays in trade and supply chains are also increasing. To ensure that the same doesn’t happen with the exchange of data between the EU and the UK, the European Commission recently published a draft for a so-called certificate of adequacy. It certifies that personal data in the UK is subject to a high level of data protection and thus allows its exchange without further authorisation. Currently, a six-month grace period applies as a transitional solution, and has earned criticism from the European Data Protection Board (EDPB).
It is good that the EU Commission has now presented a draft. But time is still pressing, because a lot is at stake: if the adequacy decision is not implemented, Europe will face massive economic consequences and affected companies may face heavy fines. Large corporations, small and medium-sized enterprises and start-ups are already exposed to considerable planning uncertainties. The Commission should not lose any time here and have to decide quickly how to proceed after the six-month transition period.
In any case, the current procedure for secure data exchange must not end up like Safe Harbor and the Privacy Shield: here, the European Court of Justice has already overturned the decision on data exchange with the USA twice. But there is also cause for hope: after all, the UK like all other EU states implemented the General Data Protection Regulation before Brexit. Let’s hope for the best that the EDBP will quickly confirm the adequacy certificate in order to continue to guarantee the free and secure flow of personal data between the EU and the UK!