The United Kingdom became a third country under the General Data Protection Regulation, (Regulation (EU) 2016/679), (EU GDPR) following Brexit. As a result, transfers of personal data from the European Union to the United Kingdom were at risk of being interrupted, with the EU GDPR requiring organisations to adopt appropriate safeguards if the UK failed to receive an adequacy decision. With the European Commission adopting the adequacy decision for the UK, personal data may continue to flow freely from the EU to the UK for the foreseeable future. This piece aims to highlight the most relevant points that lead the European Commission to confirm the appropriate level of data protection in the UK with an adequacy decision.
What you need to know in a nutshell
- After the transition period ended and the UK became a third country the EU GDPR no longer applied directly in the UK, but it was enacted into UK law
- The bridge regime then stated that data transfers from EU to the UK could continue for another six months
- In June 2021 the European Commission announced the adequacy decision for the UK has been approved
- The decision includes a “sunset clause” which limits the duration
In this article
On 31 December 2020, the transition period following Brexit ended and the United Kingdom officially became a third country. This meant that the General Data Protection Regulation, (Regulation (EU) 2016/679), (EU GDPR), no longer applied directly in the UK. However, the Data Protection Act 2018, (DPA 2018), enacted the EU GDPR provisions into UK law, and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020, amended the DPA 2018 to create a UK customised regime in the form of the UK General Data Protection Regulation, (UK GDPR).
This regulation resulted in the agreement of a “bridge” regime, where data transfers from the EU to the UK could continue for up to six months. This then allowed the EU to continue its assessment on the adequacy status of the UK under the EU GDPR.
On 19 February 2021, the European Commission launched the process towards the adoption of adequacy decisions for transfers of personal data to the United Kingdom. This resulted in the draft decisions on the UK´s adequacy being published as the first part of the sign-off procedure. These draft decisions were then submitted to the European Data Protection Board (EDPB) and a committee of the 27 EU Member Governments for their consideration and approval as one of the final steps required to formally adopt them as legal adequacy decisions.
On the 28th of June 2021, the European Commission announced that adequacy decisions for the UK have been approved, meaning personal data can now flow freely from the EU to the UK. The approved adequacy decisions include one under the EU GDPR and the other under the Law Enforcement Directive.
This adequacy decision is the result of months of negotiations between the UK and the EU and aims to facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement. Věra Jourová, Vice-President for Values and Transparency, had the following to say about the highly expected announcement:
“The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today.”
The adequacy decision
The UK is deemed to have a data protection system that is based on and consistent with the same regime that was applicable when the UK was a Member State of the EU. Furthermore, the decision recognises that the UK has fully incorporated the principles, rights and obligations of the EU GDPR into its post-Brexit legal system with the introduction of the UK GDPR.
One of the biggest concerns of the EU related to the amount of access to personal data by public authorities in the UK, namely for national security reasons. The EDPB and the committee determined that the UK provides strong safeguards in this area of concern, in particular, regarding the collection of data by intelligence authorities. This is because the method of data collection by intelligence agencies is in principle subject to prior authorisation by an independent judicial body. Furthermore, individuals who believe they have been the subject of unlawful surveillance may bring action before the Investigatory Powers Tribunal (IPT). For reference, the IPT is an independent judicial body established under the Investigatory Powers Act and which is designed to provide a right of redress for anyone who believe to have been victim of unlawful action taken by a public authority by using cover investigative techniques.
The European Commission also outlined that the UK is subject to other data protection mechanisms. Namely, it is under the jurisdiction of the European Court of Human Rights and must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, (the only binding international treaty on the subject of data protection). These commitments were regarded as essential elements to the assessment of the legal framework for both adequacy decisions.
It is worth noting that, for the first time, this adequacy decision includes a “sunset clause” which strictly limits the duration of said decisions. Therefore, the decisions will expire four years after their entry into force. Although adequacy decisions may be renewed, it has been stressed that this will only be the case here if the UK continues to ensure an adequate level of data protection under EU standards. The European Commission will continue to monitor the situation in the UK and intervene if at any point the UK deviates from the level of protection currently in place.
Finally, the European Commission will reassess the need for the exclusion of transfers for the purposes of UK immigration control which, currently are not included in the scope of the adequacy decision adopted under the EU GDPR. This is a result of a recent judgement of the England and Wales Court of Appeal.
The way forward
There has been a lot of speculation around the UK's adequacy decision since Brexit took place back in 2016. Although, many privacy professionals were hoping for and expecting this decision due to the UK’s previous status within the EU. Some even suggested it would be difficult for an adequacy decision not to be granted.
Elizabeth Denham, the UK’s Information Commissioner said:
“This is a positive result for UK businesses and organisations. Approved adequacy means that businesses can continue to receive data from the EU without having to make any changes to their data protection practices.”
Now, data exporters will be pleased to finally have some resolution and will in most cases be able to plan ahead without the need to implement additional safeguards. Despite this moment of clarity there are many who are critical of the decision and may be looking to scrutinise the decision by the Commission, especially following the “Schrems II” ruling of last year. Although it is widely believed that any challenges to the adequacy decision would take a while to get through the relevant courts.
That said, recent statements and remarks by public officials in the UK have hinted at the intention of diverging from “unnecessary and burdensome” requirements under the EU GDPR. This will prove significant as the European Commission will keep a close eye on any divergence from the current legal framework in the UK and how much the adequacy decision's longevity relies on this.