UK gains adequacy for EU-UK data transfers, despite opposition from LIBE Committee
What were the grounds of objection by the EU’s Civil Liberties, Justice and Home Affairs Committee (the LIBE Committee) to the EU’s decision to grant the UK adequacy for EU-UK data transfers?
The key takeaway
Despite protest from the LIBE Committee, on 28 June 2021 the European Commission (Commission) adopted its draft adequacy decisions in respect of both the GDPR and the Law Enforcement Directive, meaning that personal data can continue to flow freely between the UK and EU. This means that UK businesses and organisations can continue to receive personal data from the EU and EEA, without having to put additional arrangements in place with European counterparts.
The EU General Data Protection Regulation (GDPR) sets out the requirements for the processing of personal data and its free movement within the EU and EEA. Under the GDPR, data can be freely transferred between Member States and EEA countries. For third countries, which now include the UK following Brexit, an adequacy decision of the EU Counsel is required to allow the free flow of data between the UK and EU. After the UK’s exit from the EU, a six month “bridging” period was put in place while the EU assessed whether the UK should receive an adequacy decision that would allow data to flow freely from the EU to the UK.
On 11 May 2021 the LIBE Committee announced that it had passed a resolution evaluating the Commission’s approach on the adequacy of the UK’s data protection regime. This raised concerns around the implementation of the UK’s data protection framework, especially in the light of “…broad exemptions in the fields of national security and immigration, which now also apply to EU citizens wishing to stay or settle in the UK, and… a lack of court oversight of data policies, as well as wide executive powers”. This resolution followed the LIBE Committee’s earlier non-binding opinion (published on 5 February), which concluded that the UK data protection regime was inadequate and would fail to protect the data of EU citizens.
The LIBE Committee called for the Commission to amend its draft adequacy decisions in respect of both the GDPR and the Law Enforcement Directive, so that the decisions reflect CJEU court rulings and address European Data Protection Board concerns raised in opinions 14/2021 and 15/2021 (both opinions recommended the adoption of an adequacy decision, but highlighted some shortcomings in the UK data protection regime, including agreements between the UK and US allowing for surveillance of personal data).
The LIBE Committee urged the Commission to withdraw its draft adequacy decisions without first agreeing an action plan for the UK to address the perceived issues in its data protection regime, including access to personal data for surveillance purposes. However, despite these objections, the EU Commission ultimately adopted the UK adequacy decision on 28 June 2021.
Why is this important?
Failure to obtain an adequacy decision would have been disastrous for UK businesses over a wide range of industries. Analysts warned that the absence of an adequacy decision could have cost UK firms up to £1.6bn in compliance costs or higher prices for goods and services.
Any practical tips
The UK’s adequacy decision comes as a huge relief for UK businesses who work closely with EU Member States.
However, the topic of international data transfers remains a “live” one, as all eyes are now on the UK’s Information Commissioner (ICO) as to whether it will adopt the EU’s new Standard Contractual Clauses (SCCs) published on 4 June 2021. These new SCCs become mandatory after 27 September 2021 for new agreements (ie the old SCCs can be used up until this date for new agreements). For any pre-existing agreements using the EU’s old SCCs, there is a transition period until 27 December 2022, after which the new SCCs will have to be incorporated.
The ICO has previously stated that it only recognises the EU’s previous SCCs (valid as at 31 December 2021) as an adequate means of international data transfer from the UK and that it is looking towards developing its own UK SCCs for such transfers. The current situation leaves businesses with somewhat of a challenge - by needing to continue to use the old EU SCCs for transfers outside the UK and the new EU SCCs for transfers outside the EU. Clearly this is far from ideal. While we await an update from the ICO, it makes sense to get ready for the changes to come – for example, by conducting an audit of your contracts to determine which involve international data transfers and, more specifically, which involve data transfers from the UK and which from the EU in order to be ready for the eventual outcome.