The European Commission has decided that the UK provides an “adequate level of protection” – now what?

• United Kingdom

• Brexit
• Privacy, data protection and cybersecurity

01-07-2021

Is your organisation subject to the EU GDPR, or do you do business with organisations who are subject to the EU GDPR? Read on to learn how the European Commission’s UK adequacy decisions could affect you.

Background 

The European Commission has adopted two adequacy decisions covering transfers of personal data from the EU to the UK – one agreement covers transfers made under the GDPR, and the other under the Law Enforcement Directive – formally recognising the UK as providing an “essentially equivalent level of protection” to personal data flowing from the EU.

The UK had already made an equivalent decision about countries in the EEA prior to the UK’s exit from the EU, meaning that transfers could flow easily from the UK to those countries. These decisions complete that circle – and scraped in just before the end of the “bridge” agreed as part of the Trade and Cooperation Agreement on 30 June 2021.

What does this mean?

It means that organisations can continue to facilitate transfers of personal data from the EU to the UK without the need for specific transfer tools and supplementary measures.

What do I need to do?

You should take the opportunity to review and update your organisation’s Article 30 record of processing activities accordingly (if you haven’t already done so). In particular, you should identify any transfers of personal data from the EU to the UK, and record that those transfers are taking place on the basis of an Article 45(1) GDPR adequacy decision.

And while you’re at it – you might want to read our other briefing on the new EU standard contractual clauses for international data transfers, and how they should be used alongside revised guidance from the European Data Protection Board for other transfers from the EU.

What should I be aware of?

The adequacy decisions contain a so called “sunset clause” which means they will expire in four years’ time (from 28 June 2021). During the four year term, the EU Commission will monitor legal developments in the UK and can intervene to review the adequacy finding at any point if the UK’s privacy protections are deviated from. If the adequacy of the UK regime remains “factually and legally justified”, the Commission should, in December 2024, initiate the procedure to extend the decision by, in theory, a further four years; but otherwise the decisions will expire at that point.

You should also know that the GDPR adequacy finding excludes transfers for the purposes of UK immigration control. This reflects a recent Court of Appeal judgment that held the “immigration exemption” contained in Schedule 2 paragraph 4 of the UK’s Data Protection Act 2018 is incompatible with Article 23 GDPR. So if you are transferring personal data from the EU to the UK for the purposes of maintaining effective immigration control or investigating/detecting activities that would undermine the maintenance of effective immigration control, then you will need to explore and implement other transfer tool options in order to make the transfer(s) lawful.

It’s worth noting that the adequacy agreements refer to the UK’s current data protection framework (which continues to be based on the EU’s GDPR and Law Enforcement Directive) and the UK being subject to the jurisdiction of the European Court of Human Rights, as key factors in support of the adequacy findings. So there are concerns being expressed over the longevity of the adequacy agreements, given:

• commentary and decisions against the draft decision during the formal consultation process;
• recent proposals to replace the UK GDPR with a completely new data protection regime, which were contained in an independent report published by the Taskforce on Innovation, Growth and Regulatory Reform put forward by; and
• the UK government’s ongoing review of the Human Rights Act 1998 by an independent expert panel.

As a counterbalance to those concerns, it is worth recalling that an adequacy decision was recognised by the UK Government as a key element in the exit arrangements with the EU, and has been strongly lobbied for, in the past six months because of its importance to trade and growth. It is a precious prize, hard won. So for now, some good news for UK trade, as well as for those many international organisations battling to deal with the myriad of data protection law changes.

Updating your Article 30 record of processing now and taking this into consideration for any arrangements which might extend beyond 27 June 2025 could really benefit you if for any reason during this period the Commission decides to intervene or not to renew, allowing you to keep them under review and, if necessary, start planning for that sunset in good time.

For more information, please contact: