The Draft UK Adequacy Decision: What's Next?

The Draft UK Adequacy Decision: What's Next?

Many organizations were relieved to learn that the European Commission has adopted a draft adequacy decision for the UK. If approved, the adequacy decision would enable organizations to continue transferring personal data from the EEA to the UK without impediment.

But the decision isn't final. There are many issues with the UK's data protection regime that could mean the adequacy decision is not approved. And if the adequacy decision is approved, many potential pitfalls might lead to its eventual invalidation.

This article will consider what the Commission says about the UK's data protection regime, what other factors might affect the UK's chances of earning or maintaining an adequacy decision, and what you can do to prepare for the worst-case scenario.


Why Does the UK Want an Adequacy Decision?

Here are the basics on data adequacy, and why it's so important for the UK and for businesses in the European Economic Area (EEA) working with UK businesses.

The EU is very protective of its citizens' personal data. Privacy is protected under the EU Charter of Fundamental Rights. For EU citizens, there's an assumption that your communications are private and your personal data is under your control.

The protection of personal data is why the EU enacted the General Data Protection Regulation (GDPR), which heavily restricts how businesses treat personal data.

Check out our free tools for website owners:

  • Cookie Consent - a free cookie consent solution to comply with GDPR + ePrivacy Directive.
  • CCPA Opt-Out - a free CCPA opt-out solution to allow visitors to opt-out from personalized ads and comply with GDPR.
  • I Agree Checkbox - a free solution to enforce your legal agreements.

Generate legal agreements for your website or app in minutes with TermsFeed: Privacy Policy, Terms & Conditions, Cookies Policy and more.

But when businesses based in the EEA (which comprises all the EU Member States plus Iceland, Liechtenstein, and Norway) want to send personal data to organizations in "third countries" (non-EEA countries), there's no guarantee it will receive the same level of protection.

That's why Chapter 5 of the GDPR sets strict rules governing third-country transfers.

Personal data may only be transferred from the EEA to a third country if one of the following applies:

  1. The recipient's country has received an adequacy decision from the European Commission (Article 45)
  2. The transfer is covered by a contract containing standard contractual clauses (SCCs) (Article 46)
  3. The sender and recipient are within different entities of a multinational corporation or corporate group within which Binding Corporate Rules have been agreed (Article 47)
  4. The transfer is an exceptional event, and the sender can rely on one of the GDPR's derogations (Article 49)

By far the best option for businesses sending personal data from the EEA, and businesses receiving personal data in the UK, is number 1: an adequacy decision.

Research from University College London suggests that failing to achieve data protection adequacy would cost UK businesses between $1.4 and $2.2 billion in additional compliance costs alone.

Keeping data flows to the UK open is crucial for thousands of UK and EEA businesses.

Isn't the UK Already a Third Country?

Yes, the UK has now fully transitioned out of the EU and is a third country. But this hasn't affected data flows yet.

When the UK and the EU agreed on the EU-UK Trade and Cooperation Agreement (TCA, available here), it contained a section known as the "bridging mechanism" or "interim provision" that would allow personal data to keep flowing to the UK until April 30, 2021, with a possible extension to June 30, 2021.

This means that the UK has a "temporary adequacy decision" while the EU assesses whether it should get a full adequacy decision.

What Does the Commission's Decision Mean?

What Does the Commission's Decision Mean?

The European Commission has recommended that the UK receives "adequate" status.

The Commission's draft adequacy decision (available here) states that the UK has "essentially equivalent" levels of data protection as those provided under the GDPR and that personal data flows should remain open at least until a review date in four years.

Is the Commission's Decision Final?

No, the adequacy decision isn't a "done deal." Two things must happen before the Commission's decision is finalized:

  • The European Data Protection Board (EDPB) must give its (non-binding) opinion on the decision.
  • A committee of EU Member State representatives must approve the decision under the "comitology procedure."

The committee of EU Member State representatives is likely to approve or reject the decision before the end of April, when the interim provision expires. But there's no guarantee that the committee will approve the decision.

The Draft Adequacy Decision

The Draft Adequacy Decision

Now we'll take a look at an overview of the draft adequacy decision to understand what the Commission says about the UK's data protection standards.

Remember that the Commission doesn't have the final say, so we'll also consider where its decision might run into problems with the EU's other institutions.

UK's Data Protection Framework

The Commission outlines the UK's data protection framework. The following laws cover data protection and privacy in the UK:

  • The UK GDPR, which is a near-identical copy of the EU GDPR, transposed into UK law
  • The Data Protection Act 2018 (DPA 2018), which was the UK's GDPR "implementing legislation," providing specific exemptions and amendments applying to the GDPR in the UK
  • The Privacy and Electronic Communications Regulations (PECRs), which implemented the EU's ePrivacy Directive into UK law

Assessment of the UK GDPR

Assessment of the UK GDPR

The decision contains a detailed look at the UK GDPR, which the Commission finds to be practically identical to the EU GDPR. This is good news, as far as adequacy is concerned.

  • Like the EU GDPR, the UK GDPR applies "extraterritorially," that is, to businesses based outside of the UK but operating in the UK
  • The UK GDPR shares the EU GDPR's concepts and definitions, such as "controllers and processors," "personal data," "processing," and "data subjects."
  • The UK GDPR shares the principles of data processing with the EU GDPR, together with principles governing the processing of "special category data."
  • The UK GDPR's definition of "consent" is identical to the definition in the EU GDPR.
  • Data subjects get the same data subject rights under the UK GDPR and the EU GDPR (with some exceptions, see below).

The Commission also considers how the UK GDPR handles restrictions to the data subject rights and the principles of data processing. These restrictions are transposed into UK law via the DPA 2018. This is where things get a little more complicated for the UK.

Possible Pitfalls

Possible Pitfalls

There are two main areas where the Commission had reservations about the UK's data protection regime. We mention these issues because they might be subject to challenge, either:

  • In the EPDB's opinion
  • In the Member State committee's final decision
  • Later, at the CJEU

Any of these challenges could mean that the UK fails to earn or maintain data protection adequacy.

Immigration Exemption

Article 23 of the GDPR allowed EU Member States to set their own rules in some areas. EU Member States could restrict the GDPR's principles of data processing and data subject rights in areas such as:

  • National security
  • Defense
  • "Other important areas of general public interest"

The UK used its ability to restrict the GDPR's rights and principles to pass the so-called "immigration exemption" at Schedule 2 (4) of the DPA 2018.

The immigration exemption allows controllers to refuse data subject rights requests if fulfilling them would be "likely to prejudice":

  • "the maintenance of effective immigration control," or
  • "the investigation or detection of activities that would undermine the maintenance of effective immigration control"

This controversial provision is currently subject to a lawsuit in the UK, but the Commission didn't see it as prohibitive to an adequacy decision.

The draft decision states that the immigration exemption is "formulated rather broadly," but ultimately subject to "a number of strict conditions" that ensure it is valid within EU law.

Government Surveillance

Some observers were surprised that the issue of the UK government's surveillance powers didn't get a more in-depth consideration by the Commission.

The UK has more intrusive surveillance laws than most other EU Member States. UK surveillance law allows government ministers to force internet service providers to retain and grant access to communications data in bulk.

The UK's surveillance practices came under scrutiny last year at the CJEU, where it was deemed incompatible with EU law.

This is crucially important because previous adequacy decisions, namely the Safe Harbor and Privacy Shield frameworks covering data transfers to the U.S., have been invalidated after court cases before the CJEU (known as "Schrems I" and "Schrems II").

There is a significant chance that the UK's adequacy decision will be invalidated in a "Schrems III"-style case in several years.

Four-Year Review Period

Unusually, the draft adequacy decision contains a clause determining that the Commission will review the decision once every four years to check if the UK's data protection standards are still "essentially equivalent" to the EU's.

The UK has made no secret about its plans to diverge from the EU on data protection, whilst still aiming to remain within the bounds of "essential equivalence."

However, if the adequacy decision is approved, there remains a chance that the UK's standards will diverge too far in the future, and the adequacy decision will be invalidated at a future review.

What to Do Next

What to Do Next

We've written in previous articles about the need to prepare for the UK failing to receive an adequacy decision. This eventuality is now less likely than ever, but it is still possible.

  • The adequacy decision might not be approved by the EU Member State committee
  • The decision might be approved by invalidated by the CJEU (as with the previous two U.S. adequacy decisions)
  • The decision might be invalidated at a future review

Therefore, it's important to ensure you have a backup plan, in case the adequacy decision falls through.

Standard Contractual Clauses

In the event that the UK is not covered by an adequacy decision, the best option for the majority of businesses engaged in transferring personal data from the EEA to the UK will be to implement a contract containing a set of standard contractual clauses (SCCs).

If the data importer (in the UK) is a data processor, you can use the SCCs for controller-processor transfers.

If the data transfer is between two data controllers, you can use either the SCCs adopted in 2001, and the SCCs adopted in 2004.

You will also need to consider whether you need to impose additional safeguards to protect the personal data. If the UK adequacy decision fails, it's likely that the EDPB will release guidance on this matter.

For more information, see our article Using Standard Contractual Clauses.

Summary

  • The EU prohibits transfers of personal data to third countries, unless:

    • The recipient is in a country covered by an adequacy decision
    • One of the GDPR's safeguards applies
  • When the UK transitioned out of the EU, the two parties agreed to a temporary "bridging mechanism" to enable free flows of data until the end of April or June 2021.
  • The European Commission's draft adequacy agreement suggests that the UK has "essentially equivalent" data protection standards to the EU.
  • The draft adequacy decision is not final. Before the decision is finalized:

    • The EPDB must make a recommendation
    • A committee of EU Member State representatives must approve the decision
  • There are several issues with UK data protection law that may lead to the decision being rejected or invalidated.
  • If adopted, the decision will be subject to review every four years.
  • If your organization is involved in EU-UK data transfers, you should consider implementing a backup plan, such as adopting an agreement containing standard contractual clauses.
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.