12 April 2021
Many organizations were relieved to learn that the European Commission has adopted a draft adequacy decision for the UK. If approved, the adequacy decision would enable organizations to continue transferring personal data from the EEA to the UK without impediment.
But the decision isn't final. There are many issues with the UK's data protection regime that could mean the adequacy decision is not approved. And if the adequacy decision is approved, many potential pitfalls might lead to its eventual invalidation.
This article will consider what the Commission says about the UK's data protection regime, what other factors might affect the UK's chances of earning or maintaining an adequacy decision, and what you can do to prepare for the worst-case scenario.
Here are the basics on data adequacy, and why it's so important for the UK and for businesses in the European Economic Area (EEA) working with UK businesses.
The EU is very protective of its citizens' personal data. Privacy is protected under the EU Charter of Fundamental Rights. For EU citizens, there's an assumption that your communications are private and your personal data is under your control.
The protection of personal data is why the EU enacted the General Data Protection Regulation (GDPR), which heavily restricts how businesses treat personal data.
Check out our free tools for website owners:
But when businesses based in the EEA (which comprises all the EU Member States plus Iceland, Liechtenstein, and Norway) want to send personal data to organizations in "third countries" (non-EEA countries), there's no guarantee it will receive the same level of protection.
That's why Chapter 5 of the GDPR sets strict rules governing third-country transfers.
Personal data may only be transferred from the EEA to a third country if one of the following applies:
By far the best option for businesses sending personal data from the EEA, and businesses receiving personal data in the UK, is number 1: an adequacy decision.
Research from University College London suggests that failing to achieve data protection adequacy would cost UK businesses between $1.4 and $2.2 billion in additional compliance costs alone.
Keeping data flows to the UK open is crucial for thousands of UK and EEA businesses.
Yes, the UK has now fully transitioned out of the EU and is a third country. But this hasn't affected data flows yet.
When the UK and the EU agreed on the EU-UK Trade and Cooperation Agreement (TCA, available here), it contained a section known as the "bridging mechanism" or "interim provision" that would allow personal data to keep flowing to the UK until April 30, 2021, with a possible extension to June 30, 2021.
This means that the UK has a "temporary adequacy decision" while the EU assesses whether it should get a full adequacy decision.
The European Commission has recommended that the UK receives "adequate" status.
The Commission's draft adequacy decision (available here) states that the UK has "essentially equivalent" levels of data protection as those provided under the GDPR and that personal data flows should remain open at least until a review date in four years.
No, the adequacy decision isn't a "done deal." Two things must happen before the Commission's decision is finalized:
The committee of EU Member State representatives is likely to approve or reject the decision before the end of April, when the interim provision expires. But there's no guarantee that the committee will approve the decision.
Now we'll take a look at an overview of the draft adequacy decision to understand what the Commission says about the UK's data protection standards.
Remember that the Commission doesn't have the final say, so we'll also consider where its decision might run into problems with the EU's other institutions.
The Commission outlines the UK's data protection framework. The following laws cover data protection and privacy in the UK:
The decision contains a detailed look at the UK GDPR, which the Commission finds to be practically identical to the EU GDPR. This is good news, as far as adequacy is concerned.
The Commission also considers how the UK GDPR handles restrictions to the data subject rights and the principles of data processing. These restrictions are transposed into UK law via the DPA 2018. This is where things get a little more complicated for the UK.
There are two main areas where the Commission had reservations about the UK's data protection regime. We mention these issues because they might be subject to challenge, either:
Any of these challenges could mean that the UK fails to earn or maintain data protection adequacy.
Article 23 of the GDPR allowed EU Member States to set their own rules in some areas. EU Member States could restrict the GDPR's principles of data processing and data subject rights in areas such as:
The UK used its ability to restrict the GDPR's rights and principles to pass the so-called "immigration exemption" at Schedule 2 (4) of the DPA 2018.
The immigration exemption allows controllers to refuse data subject rights requests if fulfilling them would be "likely to prejudice":
This controversial provision is currently subject to a lawsuit in the UK, but the Commission didn't see it as prohibitive to an adequacy decision.
The draft decision states that the immigration exemption is "formulated rather broadly," but ultimately subject to "a number of strict conditions" that ensure it is valid within EU law.
Some observers were surprised that the issue of the UK government's surveillance powers didn't get a more in-depth consideration by the Commission.
The UK has more intrusive surveillance laws than most other EU Member States. UK surveillance law allows government ministers to force internet service providers to retain and grant access to communications data in bulk.
The UK's surveillance practices came under scrutiny last year at the CJEU, where it was deemed incompatible with EU law.
This is crucially important because previous adequacy decisions, namely the Safe Harbor and Privacy Shield frameworks covering data transfers to the U.S., have been invalidated after court cases before the CJEU (known as "Schrems I" and "Schrems II").
There is a significant chance that the UK's adequacy decision will be invalidated in a "Schrems III"-style case in several years.
Unusually, the draft adequacy decision contains a clause determining that the Commission will review the decision once every four years to check if the UK's data protection standards are still "essentially equivalent" to the EU's.
The UK has made no secret about its plans to diverge from the EU on data protection, whilst still aiming to remain within the bounds of "essential equivalence."
However, if the adequacy decision is approved, there remains a chance that the UK's standards will diverge too far in the future, and the adequacy decision will be invalidated at a future review.
We've written in previous articles about the need to prepare for the UK failing to receive an adequacy decision. This eventuality is now less likely than ever, but it is still possible.
Therefore, it's important to ensure you have a backup plan, in case the adequacy decision falls through.
In the event that the UK is not covered by an adequacy decision, the best option for the majority of businesses engaged in transferring personal data from the EEA to the UK will be to implement a contract containing a set of standard contractual clauses (SCCs).
If the data importer (in the UK) is a data processor, you can use the SCCs for controller-processor transfers.
You will also need to consider whether you need to impose additional safeguards to protect the personal data. If the UK adequacy decision fails, it's likely that the EDPB will release guidance on this matter.
For more information, see our article Using Standard Contractual Clauses.
The EU prohibits transfers of personal data to third countries, unless:
The draft adequacy decision is not final. Before the decision is finalized:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.