European Commission awards draft adequacy decision to the UK

How can data transfers between the UK and the EU be securely and legally executed following Brexit?

The key takeaway

Entities transferring data between the UK and EU, and who feared a new hard-line data transfer regime following Brexit, can begin to breathe easy again following a display of support from the European Commission in the form of its draft adequacy decision for the UK in February 2021.

The background

Under the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), the European Commission is empowered to assess whether a non-EU state provides a level of data protection that is essentially equivalent to that provided within the EU. Where such protections are deemed to be “adequate”, any transfers of personal data between the EU and non-EU state can take place without being subject to any further conditions.

Following the UK’s exit from the EU, the UK’s data regime had to be reassessed to judge whether it was truly adequate under EU law and whether the EU could continue to permit the free flow of data that had been enjoyed between the UK and other Member States. The UK’s data protection regime is governed by the UK GDPR and the Data Protection Act 2018 (DPA). Both are derived from the EU GDPR and the LED, providing similar rights to data subjects and placing similar obligations on controllers and processors, and this had created optimism as to the UK’s position post-Brexit.

However, 2020 saw the unfurling of a series of unexpected events in the data sphere which cast uncertainty over what would come next for the UK, in particular:

• the CJEU’s invalidation of the longstanding EU-US Privacy Shield as an accepted data transferral mechanism following the hearing of Schrems II in July 2020. Under this decision, the CJEU held that the Privacy Shield failed to comply with the level of protection required under EU law, causing massive disruption in the EU-US data transfer market
• the CJEU’s rulings in two separate cases in October 2020 that mass surveillance by national security agencies in France, Belgium, and the UK did not align with EU law (see our Winter 2020 Snapshots). Following these judgments, questions were raised regarding the future data transferring relationship between the UK and the EU, with the Investigatory Powers Act 2016 appearing incompatible with EU law with respect to data processing.

If the EU had deemed the UK’s data protection regime to be inadequate, the implications would have been huge, including from an administrative and cost perspective.

The development

Despite the fears around compatibility, on 19 February 2021 the European Commission concluded that the UK ensures “an essentially equivalent level of protection” to the one guaranteed under EU law. Following this assessment, the Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the UK under the GDPR and LED.

One influencing factor in this decision is thought to be that the UK, despite leaving the EU, remains part of the European “privacy family” through its adherence to both the European Convention of Human Rights and to “Convention 108” of the Council of Europe, the only binding multilateral instrument on data protection. Compliance with such measures is a key factor for the Commission in judging whether a nation can provide appropriate levels of stability and durability.

Why is this important?

The UK government has warmly welcomed the draft decisions stating that “seamless international data flows are essential in a hyper-connected world. They underpin the exchange of information and ideas supporting trade, innovation and investment, assist with law enforcement agencies tackling crime, and support the delivery of critical public services sharing personal data as well as facilitating health and scientific research”.

The announcement will be gratefully received by many UK and EU businesses, for whom uncertainty around the future status of data transfers has led to the postponement of significant data innovation projects and the setting aside of finance to account for potential additional compliance requirements had adequacy been denied. Although the Commission’s decisions will need to be finalised and approved, this vote of confidence creates a strong and stable base for digital trade with the EU that will give businesses the confidence to invest and to advance their data-focused projects at a time where such innovation is critical to survival in an increasingly competitive market space.

Following the receipt of an opinion from the European Data Protection Board, the Commission will be able to proceed with obtaining approval from Member States through the comitology procedure (a process by which EU law is modified or adjusted via “comitology committees”chaired by the European Commission). This then enables the Commission to adopt the final adequacy decisions for the UK. Once adopted, the Commission’s decisions will be valid for four years, following which it will be possible to renew. Until then, data flows between the EEA and the UK continue and remain safe under the EU-UK Trade and Cooperation Agreement. This interim period expires on 30 June 2021.

The UK’s adequacy status going forward will remain dependent on the UK maintaining the existing standards of its data protection regime. The Commission Vice President has taken this opportunity to remind the UK that the Commission retains the power to withdraw adequacy in order to “address any problematic development of the UK system”. At a time when the UK is seeking to forge new trade relationships outside of the EU, this serves as a timely reminder to the UK to be cautious in the face of any pressure from potential trade partners to relax its existing standards.

Any practical tips?

Breathe a deep sigh of relief! If the European Commission had gone the other way on its adequacy finding, life would have become very costly, and frankly very boring, putting all those Standard Contractual Clauses in place.