Just in Time - EU Adopts Adequacy Decisions for free flow of data with UK

On the 28 June 2021, the European Union (EU) adopted two adequacy decisions which permit the free flow of personal data from the EU and the European Economic Area (EEA) to the UK. The adequacy decisions are given under the EU General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), and include the EU’s assessment of the UK’s data protection standards. The decisions are necessary because EU data protection law limits transfers to a third country (the UK became a third country as a result of Brexit), and under the EU – UK Trade Cooperation Agreement the transition period was due to expire on the 30 June 2021.

The awaited decision has followed over a year of discussions and will mean that UK businesses and organisations can keep receiving personal data from the EU and EEA, without implementing additional measures. The decision under the LED covers the specific transfer of personal data for law enforcement purposes and cooperation on judicial matters. The UK has already recognised the EU and EEA member states as having adequate regimes, thus creating a reciprocal regime for the transfer of personal data.

The decisions recognise the UK’s high data protection standards and its close alignment with the EU regime. This includes the UK’s choice to retain the GDPR, tailored to the U.K. and known as the “UK GDPR”, and Law Enforcement Directive obligations following Brexit. They also conclude that the UK has strong safeguards of personal data, especially data collected for national security reasons. The protections include subjecting public authorities to authorisation from an independent judicial body to collect personal data, and assessing such requests on their necessity and proportionality to achieve their aim. Additionally, there is a complaint mechanism for individuals to bring an action before the Investigatory Powers Tribunal if they believe they have been subject to unlawful surveillance. The decisions were also supported by the UK’s commitment to international bodies such as: the European Court of Human Rights, European Convention of Human Rights and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal data.

Conditions Attached

However, there is conditionality to the adequacy decisions that the UK does not deviate from EU standards of protection. The first limitation of the decision is that it excludes from its scope data flowing to the UK for immigration control. This is due to a decision from the Court of Appeal, which held that an exemption for controllers involved in immigration related activities from obligations under UK GDPR is incompatible with provisions in the UK GDPR itself.  The second is that for the first time, both adequacy decisions include a sunset clause limiting their duration to 4 years. The European Commission has also said it will actively review UK law on data protection and may intervene if standards deviate. This means that the UK risks losing the adequacy decisions or facing the review process again if it lowers standards of protection. It also raises the possibility that the UK could lose the adequacy decisions if it fails to adopt any changes made to the EU regime.

Comment

The decisions are of huge benefit to organisations who will not now be saddled with the burden of putting in place additional contractual terms or assessments when transferring personal data with the EU. It is also important to the UK to building trade agreements with other countries and developing international data transfer regimes across the world.