No one sensible professes that data protection practice is always easy, and discussions around whether the UK will, come 1 January 2021, have or be close to having, an adequacy decision from the European Commission are complex and highly political. However, I hadn’t, until today, encountered the argument that GDPR itself was a barrier to, er, attaining adequacy status.
But that is the remarkable assertion in this recent Diginomica piece:
GDPR Is a European data protection success story, yes? Well, yes…but it could also be a complicating factor in trying to secure a post-Brexit data adequacy deal between the UK and the EU.
It is a complicating factor, I suppose, in the same way that, say, a speed limit is for those who drive too fast.
The reason that an “adequacy deal” is being sought is because GDPR itself says, in Article 45, that the Commission may decide, after taking into account a number of factors, that a third country (such as the UK will become) offers an adequate level of protection for personal data. In the absence of an adequacy decision, GDPR imposes restrictions on the transfer of data to third countries.
GDPR is the reason we are seeking an adequacy deal, not the barrier to it.