Legal briefing | |

Data protection: European Commission publishes draft adequacy decision in respect of UK

Data protection: European Commission publishes draft adequacy decision in respect of UK

Overview

A barrier-free flow of personal data between the EEA and the UK shows much greater promise now that the European Commission has published its draft adequacy decision for the UK.  Whilst this is welcome news, it does not mean an end to post-Brexit uncertainty in this area.

Why is an adequacy decision needed?

Under the EU's General Data Protection Regulation (GDPR), transfers of personal data outside the EEA can only take place subject to certain conditions;  in particular, if the non-EEA country to which the data is being transferred is not deemed by the European Commission to provide "adequate protection" for personal data, then additional measures must normally be taken (such as putting in place written contracts incorporating standard contractual clauses prescribed by the Commission). 

THE CURRENT POSITION AND THE TCA "DATA BRIDGE"

Under the Trade and Cooperation Agreement (TCA) agreed between the UK and the EU in December 2020, transfers of personal data from the EU to the UK can continue without further action on the part of EU based controllers or their UK based counterparts for at least 4 months (to end of April 2021), with a possible extension by a further 2 months (i.e. until the end of June 2021).  This is designed to give the European Commission sufficient time to reach a decision on whether the UK regulatory framework is "adequate".  The so-called "data bridge" is conditional on the UK not changing its data protection legislation without the EU's consent. 

What does the draft adequacy decision say?

The draft adequacy decision concludes that the UK provides an adequate level of protection for personal data transferred from the EEA and within scope of EU GDPR. If approved, businesses will be able to rely on the adequacy decision to transfer personal data from the EEA to the UK (removing the need to put in place an additional safeguard, such as the Standard Contractual Clauses). The European Commission has also published a similar draft decision with respect to the Law Enforcement Directive. 

The European Commission's draft includes a detailed assessment of the UK authorities' ability to access and use personal data transferred from the EEA. This is a key consideration in any adequacy assessment, as confirmed in the recent Schrems II case which invalidated the EU-US Privacy Shield, largely due to US surveillance laws.

SOUNDS LIKE GOOD NEWS – WHAT'S THE CATCH?

Whilst the draft adequacy decision is certainly good news for frictionless data flows between the EEA and the UK, even if it is approved, it will not entirely remove the spectre of trade barriers in relation to personal data.  In particular:

  • If approved, the adequacy decision will be subject to review every four years. Now the UK is no longer required to keep step with the EU regime, there is greater risk of UK data protection laws diverging away from EU standards. The ICO and the UK legislators will seek to balance developing an innovative and pragmatic data protection regime whilst engendering public trust and maintaining EU confidence in the parity of the UK's data protection laws. The UK will need to closely consider the third countries that it awards its own adequacy decisions to as the contradiction of EU adequacy analysis has the potential to undermine the UK's relationship with the EU

  • The approved adequacy decision could be legally challenged by the Court of Justice of the European Union (CJEU) and be declared invalid in a similar way to the EU-US Privacy Shield. Such a challenge is anticipated by some, particularly as the UK's surveillance laws have already received recent challenge by the CJEU in the Privacy International case. In this case, the CJEU ruled that EU law did not permit the UK to instruct electronic communication service providers to undertake bulk collection of e-comms data (the general and indiscriminate transmission of traffic data and location data)  for the purpose of safeguarding national security. This successful challenge to the UK's surveillance practices may encourage the legal testing of a UK adequacy decision.

Where are we now?

The European Commission's draft will now be considered by the European Data Protection Board (EDPB) for its opinion prior to approval by EU member state representatives. Although the EDPB's opinion is non-binding, the comments are likely to be taken seriously by the European Commission and so significant comments from the EDPB have the potential to slow down the timeline.

As noted above, for the time being and until end of April 2021 (or if extended, the end of June 2021), the data bridge agreed in the TCA enables the free flow of data from the EEA to the UK. In order to prevent disruption to data transfers between the EEA and UK, it would be helpful for the European Commission to follow its stated objective, that to the extent that the UK was found to provide adequate protection, a formal decision would be adopted before the TCA data bridge expires.

WHAT SHOULD BUSINESSES DO?

Given the possibility of a legal challenge and the fact that any adequacy decision will be subject to review, businesses should continue to maintain a watching brief on their business critical data flows from the EEA to identify (i) those flows which would be most at risk if an adequacy decision was to be successfully challenged or overturned on review; and (ii) alternative safeguarding mechanisms or derogations which could be relied on to plug the gap.

For more information on the TCA generally, see our Business-friendly guide to the UK-EU Brexit trade deal

For an update on the EU's recent adequacy decisions in respect of the UK, please read our Brexit: UK gets data adequacy decision briefing.

GET IN TOUCH

Read Nneka Cummins Profile
Nneka  Cummins
Read Vivien Halstead Profile
Vivien Halstead
Back To Top