Mona Patel Partner
Data protection: European Commission kicks off UK adequacy process
The European Commission (“Commission”) recently published its draft EU GDPR¹ adequacy decision (“Draft Decision”)², for data flows between the European Union (“EU”) and the United Kingdom (“UK”) bringing the UK closer to a positive decision on the continued free flow of personal data from the EU into the UK.
What is an adequacy decision?
An adequacy decision is a determination by the Commission that a non-EU country (or sector within a non-EU country) offers an adequate level of data protection and therefore that data can be shared with it. If an adequacy decision is made, then personal data can continue to be freely transferred from the EU to that jurisdiction without the need for additional mechanisms to facilitate the transfer (such as further safeguards or authorisation from a national supervisory authority).
12 adequacy decisions have been made under the EU GDPR since it came into effect, with Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay all being recognised as providing adequate protection. Adequacy talks are ongoing with South Korea.
Since decisions incorporate periodic reviews of at least every four years continued ‘adequacy’ depends on a jurisdiction maintaining its data protection standards.
What is the current position?
Post-Brexit the UK largely adopted the EU GDPR as standalone UK law (“UK GDPR”). However, having left the EU without an adequacy decision the UK became a ‘third country’ for data protection purposes. Transitional provisions have been applied to allow data flows from the EU to the UK. Pursuant to the EU-UK Trade and Cooperation Agreement (“TCA”) signed on 30 December 2020, data is able to flow freely to the UK from the EU under a four-month bridging period (extendable by two months), during which it is anticipated that the Commission's adequacy assessment process will be completed. This ‘long-stop’ period expires on 30 June 2021.
In relation to transfers from the UK to the EU prior to Brexit, the UK determined that the EU offers an adequate level of data protection for personal data transfers to the EU and such transfers are therefore not restricted. The UK government has indicated that this will be reviewed in 2024.
The Draft Decision
The Draft Decision seeks to assess whether data is allowed to flow between the EU and UK in essentially the same unfettered way as occurred before Brexit.
For purposes of drafting the Draft Decision, the Commission considered the following rules applying to the processing of personal data (amongst other things): the UK’s constitutional framework, the UK’s data protection framework, oversight and enforcement, access and use by public authorities of personal data transferred from the EU and redress mechanisms, and concluded that the UK, “ensures an adequate level of protection for personal data transferred within the scope of the [EU GDPR] from the European Union”. It also issued an adequacy decision under the EU Law Enforcement Directive³, for personal data processed by the law enforcement sector, which we do not consider in this article.
It is clear from the Commission’s press release regarding the Draft Decision that the UK must remain aligned to the EU's data protection standards in order to retain ‘adequacy’ status (if granted). The press release said:
“It also worth noting that the UK is – and has committed to remain – party to the European Convention of Human Rights and to “Convention 108” of the Council of Europe, the only binding multilateral instrument on data protection. This means that, while it has left the EU, the UK remains a member of the European “privacy family”. Continued adherence to such international conventions is of particular importance for the stability and durability of the proposed adequacy findings.” ⁴
What happens next with the Draft Decision?
Before the Draft Decision is finalised, there are further steps the Commission must take before an adequacy decision is issued in favour of the UK:
- The Draft Decision will be scrutinised by data protection authorities from across the EU through the European Data Protection Board (“EDPB”), who will issue an advisory opinion;
- The Commission will take into account (but not be bound by) the EDPB’s opinion; and
- The Draft Decision will be submitted to a committee of representatives from all EU member states to green light.
Once these steps have been completed, the Commission will be free to adopt the Draft Decision. It is unclear how long this process may take, but the approval process for Japan’s adequacy decision (the Commission’s most recent adequacy decision) took approximately four months. Under the TCA, that process needs to be completed by the end of June in order to ensure continuity of transfers.
The adequacy decision once adopted and in force, will not be permanent. It will be re-examined every four years by the EU and the UK. The wording of the Draft Decision also makes it clear that the Commission will continuously monitor the UK’s legal framework and that in the event the UK no longer continues to offer an adequate level of data protection, the Commission may partially or completely suspend or repeal its adequacy decision.
If the Draft Decision is adopted must we still consider appointment of an EU representative and location of the lead supervisory authority?
UK businesses should still consider their data flows carefully. Despite the adequacy decision, the UK and the EU are still subject to separate regulatory regimes. Whilst the EU GDPR may not apply in the UK, data processing activities undertaken by UK businesses in the EEA will still be subject to the EU GDPR (and vice versa with respect to EU businesses conducting processing activities in the UK).
From 1 January 2021, businesses that process data in the EU and the UK (or are UK-based, offer goods or services, or target individuals in the EU and vice versa) are now subject to both the EU GDPR and the UK GDPR and, depending on their operations may still need to:
- Appoint an EU representative or a UK representative; and
- Consider which EEA or EU supervisory authority will be their lead supervisory authority (“LSA”), since the UK Information Commissioner’s Office may no longer be the LSA for data controllers and data processors located in the UK but without a main establishment in the EEA.
The Draft Decision will come as a significant relief to UK businesses who are already grappling with the repercussions of Schrems II (see our previous note here). A UK adequacy decision would bring more certainty for businesses concerned by post-Brexit data flows.
However, it is worth bearing in mind that even with a favourable UK adequacy decision the continued ability to freely transfer data to and from the EEA will remain subject to scrutiny from the Commission and challenges in the EU courts (as demonstrated in 2020 when the European Courts of Justice found the EU-US Privacy Shield to be invalid). As such, organisations operating in the EU and UK will need to continue to monitor developments.
The above does not constitute legal advice nor does it consider a complete list of issues to consider in the context of the UK or EU GDPR. Should you have any queries, please do not hesitate to contact the authors of this article or your usual contact at Ince.
¹ General Data Protection Regulation (EU) 2016/679