Keep up to date with our articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
Green Light for UK Adequacy
On Monday 28th June 2021, the European Commission formally announced its adoption of two Adequacy Decisions for the United Kingdom, one under the General Data Protection Regulation and another under the Law Enforcement Directive. The decision came almost five years exactly since the UK’s referendum vote took place, and only two days before the expiry of the Brexit bridging mechanism, which was part of the EU-UK Trade and Cooperation Agreement signed on 30th December 2020.
Speaking on the day of the announcement, Justice Commissioner Didier Reynders said ‘After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK.’
The decision means the UK will become the thirteenth addition to the Commission’s ‘whitelist’ of countries and dependencies that are recognised as providing adequate levels of protection to personal data transferred outside the EU.
At least practically, data transfers between the EU and the UK will remain unchanged from the transfers taking place under the post Brexit bridging mechanism. This is because an adequacy decision from the Commission effectively assimilates transfers of personal data from within the EU to third countries, with intra-EEA transfers of personal data.
Article 45 of the GDPR mandates that where the European Commission deems that a third country provides an adequate level of protection to personal data, transfers to such country, do not require any specific authorisation and no additional safeguard or derogations, laid out in Articles 46 and 47 of the GDPR, will be needed.
The Commission’s decisions add to the UK’s previous ruling that the EU provides an equivalent level of protection to personal data to protection it receives within the UK, meaning personal data can continue to be transferred bilaterally between the UK and the EU.
The UK’s Information Commissioner responded to the decision saying “Approved adequacy means that businesses can continue to receive data from the EU without having to make any changes to their data protection practices.”
EU and UK organisations alike will be relieved to learn that transfers of personal data can continue unaffected from the EU to the UK, without the need to implement safeguards such as Standard Contractual Clauses, which will likely now also be subject to additional supplementary measures in wake of the Schrems II judgement.
However, this may not be the end of the UK adequacy discussion.
For the first time, the Commission has implemented a ‘sunset clause’ to the adequacy decisions. While Article 45 (3) of the GDPR details a periodic four-year review of implementing decisions by the Commission, the sunset clause included in the most recent decisions effectively sets an automatic expiry date on UK adequacy after four years. The UK’s adequacy status can then be renewed, providing the Commission decides an adequate level of data protection has been maintained.
The inclusion of this clause is likely down to the stance taken by the UK on data protection legislation, since Brexit. The Department for Digital, Culture, Media & Sport (DCMS) has previously hinted that the UK will look to diverge from EU data laws in the wake of Brexit, in order to facilitate growth and opportunity in the digital economy. Speaking in March, Oliver Dowden said “in [the UK’s] rule making, we can take a slightly less European approach as set out in the GDPR by focusing more on the outcomes that we want to have and less on the burdens of the rules imposed on individual businesses.”.
On release of the decisions the Commission stated that “[they will] continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the Commission decide to renew the adequacy finding, the adoption process would start again”.
UK and EU businesses alike will need to keep abreast of both local and EU wide legislative development and be prepared to act on any changes that may arise in the UK’s adequacy status as a result of shifting data protection legislations.
Further, despite the adequacy decisions allowing for continued free-flow of personal data, the GDPR Article 27 requirements for UK based Controllers and Processors to engage EU representatives where necessary and the equivalent requirements for EU Controllers and Processors to engage UK representatives, will still remain and should not be ignored. Organisations with multiple EU establishments will need to designate their lead supervisory authority while privacy policies may need amendment to ensure clients and customers are fully informed about the movement of their personal data.
For more information regarding UK-EU personal data transfers please contact Phil Thompson, Partner or Sam Ridgway, Data Privacy Consultant.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.