On February 19 2021, the European Union Commission issued its draft adequacy decision for data flows between the European Union (EU) and United Kingdom (UK).
Whilst widely expected, this draft decision will provide some assurance about the continuing free flow of data between the EU and UK although businesses should take heed of a few ongoing regulatory issues.
Post-Brexit (the UK’s exit from the European Union):
- The UK largely adopted the EU GDPR as standalone UK law
- The UK became a “third country” for data flows from the EU
- Transitional provisions have been applied to allow data flows between the UK and the EU. The EU-UK Trade and Co-operation Agreement agreed on December 24, 2020 included a “bridge period” of four to six months to allow for the EU Commission to adopt an adequacy decision under the GDPR for the UK
- The UK deemed the EEA to be adequate on a transitional basis, a position likely to be the case until 2024. The UK also retained the EU standard contractual clauses as a transfer mechanism
- The UK also adopted previous EU adequacy decisions meaning that data may continue to flow, as before, to countries outside of the EU, such as Japan, with adopted adequacy decisions. The UK has said it will keep these adequacy decisions under review
The speed of issue of this draft decision will provide some comfort to businesses working across the EU and UK, but there are a few key issues to carefully consider. The draft decision must still be reviewed by the European Data Protection Board and then needs the “green light” from representatives of EU member states under the “comitology” procedure.
What Does Adequacy Mean?
In brief, an adequacy decision means that the EU has accepted that the UK data protection regime affords adequate protections for EU data subjects.
If the decision is adopted, data may continue to flow between the EU and UK without the need for additional provisions, such as standard contractual clauses or the adoption of binding corporate rules.
There had been some question as to whether special terms and conditions would be included to take into account the recent Schrems II ruling by the European Court of Justice, but the draft adequacy decision confirms that existing UK law is sufficient, and that no further safeguard steps need be taken by data exporters.
Regulatory Oversight – No “One Stop Shop”
Despite the adequacy decision, the UK and the EU are still subject to separate regulatory regimes.
From January 1, 2021 organisations that process data in the EU and the UK (or if UK based, offer goods or services, or target individuals in the EU and vice versa) are now subject to both the EU GDPR and the UK GDPR and, depending on their operations may need to:
- Appoint an EU representative or a UK representative
- Consider which EEA or EU supervisory authority will be their lead authority, given that the UK Information Commissioner’s Office may no longer be the lead supervisory authority for data controllers and data processors located in the UK without a main establishment in the EEA.
Adequacy and the Longer Term
The Adequacy decision, once adopted, will not be a permanent position. It will be re-examined every four years by the EU and by the UK. However, this review period is longer than the review period in other adequacy decisions, for example the Japan adequacy decision allows for a review every two years, subject to confirmation after the first two-year review.
Some risk remains that any EU Adequacy decision may be challenged in a similar way to the Safe Harbor and Privacy Shield provisions which were recently challenged in the Schrems II case. This may be considered a heightened risk given the European Court of Human Rights ruling regarding the UK mass surveillance programme.
However, the EU UK Trade and Co-operation Agreement does include provisions which foresee the risk of future declarations of unlawful transfers. The Agreement outlines the steps to be taken by the Partnership Council to agree on joint interpretations, recommend appropriate actions, adopt appropriate adaptations and extend any suspensions. These provisions are based on the need for future co-operation, and the need to take steps to allow data to continue to flow between the EU and the UK.
Failing any resolution through the EU-UK Trade and Co-operation Agreement provisions, alternative mechanisms may need to be adopted to deal with any invalidation, for example the adoption of standard contractual clauses
Ongoing Opinions and Guidance – Some Divergence?
Despite the Adequacy decision, organisations operating in the EU and UK will need to continue to monitor developments in both areas. A few examples to bear in mind below:
- The EU is currently consulting on revisions to the standard contractual clauses. Given that the UK has adopted the previous standard contractual clauses, it remains to be seen whether the UK will also adopt any revised version
- On February 2, 2021, the EU issued guidance on health research and secondary use of data. A week later, on February 9, 2021, the UK announced a review into the use of health data for research and analysis. We will cover these developments in a separate future briefing
- On the theme of facilitating continued flow of data, the ICO published its long awaited Data Sharing Code of Practice (the Code) at the end of last year. Due to the detailed way in which the Code covers data sharing in the context of the GDPR, it will also be of wider interest to data controllers outside of the UK post-Brexit