Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: European Commission adopts UK adequacy decision

On 13 April 2021, the European Data Protection Board ('EDPB') announced that it had adopted its opinion on the draft UK adequacy decision issued by the European Commission on 19 February 2021. The adequacy decision was formally adopted by the Commission on 28 June 2021. Bridget Treacy and Olivia Lee, from Hunton Andrews Kurth, discuss the significance of the Commission's opinion on UK adequacy, the details of EDPB's opinion, and how the relationship between the UK and the EU may continue to evolve in the future regarding data transfers.

Lefthome / Signature collection / istockphoto.com

The adequacy decision permits transfers of personal data from the EU to the UK without the implementation of a data transfer mechanism under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), such as Standard Contractual Clauses ('SCCs'). With the UK now a 'third country' under the GDPR, a transfer mechanism would otherwise be required for such sharing of personal data, unless the transferring entity in the EU could rely on one of the limited derogations under Article 49 of the GDPR, such as data subject consent or contractual necessity.

Even though the adequacy decision has been adopted, it will be subject to review in the future, and could be revoked if the level of data protection offered in the UK is deemed to drop below a standard considered essentially equivalent to that of the EU. This is a calculable risk for the UK, which now has the freedom to diverge from the GDPR and may be incentivised to do so in the context of, for example, post-Brexit trade negotiations with jurisdictions that desire more freedom in their processing of personal data received from the UK.

The EDPB's opinion

The EDPB highlighted in its opinion that the UK Government has previously expressed an interest in possible divergence and invited the Commission to closely monitor any such evolution in the law and to suspend, amend, or repeal the adequacy decision if necessary, noting that the European Commission's draft decision included a sunset clause that allows review of the adequacy decision after four years.

There is currently a great deal of convergence between the UK and EU with respect to data protection. The UK implemented the GDPR into national law prior to its departure from the EU in the form of the 'UK GDPR', meaning that the EU and UK are aligned on, for example, the grounds for fair and lawful processing; processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security, and confidentiality; transparency; special categories of data; and automated decision making and profiling. The EDPB explicitly recognised in its opinion the extent to which the UK regime mirrors that of the EU, stating that in many respects the law of the EU and UK were currently essentially equivalent. It also noted the work undertaken by the UK Information Commissioner's Office ('ICO') to raise awareness of data protection issues and obligations by publishing comprehensive information and guidelines on its website.

The EDPB also drew attention, in its opinion, to the ways in which the UK has deviated from the GDPR, such as by introducing a 'broadly formulated' exemption to certain data protection rights for processing relating to immigration, i.e. the rights of access, erasure, restriction of and objection to processing, and the right to be informed. The EDPB noted in particular that this exemption applies even when personal data is not initially collected for immigration purposes but is later shared with another entity that uses it for immigration control. The EDPB commented that the exemption does not itself provide safeguards to prevent its abuse and requested that further clarifications on its application be provided.

The EDPB also raised several concerns with respect to onward transfers of EEA personal data that is shared with the UK, and with jurisdictions that may not provide an appropriate standard of data protection. The EDPB expressed apprehension over possible adequacy decisions that may be reached by the UK with respect to jurisdictions that the European Commission would not deem to provide essentially equivalent protection to that of the EEA, and the risks that this may pose to EEA data transferred from the UK to those jurisdictions. Further, the Commission's existing adequacy determinations are set to be reviewed, which may result in some jurisdictions losing their status as an adequate destination for personal data from the perspective of the EU, but still being recognised as adequate by the UK due to the UK's adoption of the Commission's existing adequacy decisions prior to Brexit.

The EDPB further requested, in its opinion, that the Commission provide reassurances in the adequacy decision that necessary safeguards would be implemented when the UK makes onward transfers of EEA data to third countries in reliance on data transfer mechanisms, such as SCCs, in line with the requirements of the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In addition to invalidating the EU-U.S. Privacy Shield, the CJEU imposed a requirement on data exporters to verify whether the law of a recipient jurisdiction would interfere with the effectiveness of a transfer mechanism relied on for the transfer. Where there is a risk of such interference, exporters are required to implement additional safeguards to ensure that the level of protection provided for personal data mirrors that of the EEA. The EDPB prompted the Commission to ensure that data exporters are required to undertake the same assessments prior to making transfers of EEA data out of UK, to avoid the level of protection for personal data being watered down during its transmission through the UK.

The EDPB also raised concerns over the extent to which access may be granted to EEA personal data under international agreements between the UK and other jurisdictions, particularly the US, and invited the Commission to take action where necessary with respect to any such agreements that risk undermining the standard of protection for personal data. These concerns were further emphasised with respect to data that may be shared under agreements for intelligence purposes, with the EDPB noting that such agreements often are not publicly available. The EDPB also invited the Commission to monitor how the ICO applies and interprets the derogations under Article 49 of the GDPR, to ensure that they are aligned with the EU's interpretations, which are currently narrow.

A final point made by the EDPB in its opinion with respect to onward transfers was that the UK has not incorporated Article 48 of the GDPR into its domestic law under the UK GDPR. Under Article 48 of the GDPR, an order from a court or administrative authority in a third country that requires disclosure of personal data need only be recognised when based on an international agreement. The EDPB suggested that the absence of this provision in the UK GDPR may create legal uncertainty, despite the UK's assertion that similar requirements already exist under common law or statutes in the UK.

A further key point of interest for the EDPB is the level of access that public authorities in the UK have, for the purposes of law enforcement and national security, to personal data transferred from the EEA, as well as the legal remedies available to individuals in the EEA. This reflects key areas of focus that were highlighted by the CJEU as part of its determination in the Schrems II Case, and which in part led to the CJEU's invalidation of the Privacy Shield.

With respect to public authority access to personal data, the EDPB drew attention to the breadth of certain definitions in the Investigatory Powers Act 2016 ('IPA'), including those relevant to its scope, such as 'telecommunications service', as well as stating that criteria relevant to an assessment of necessity and proportionality of data collection were vague. On these points the EDPB requested, in light of the CJEU's requirement in the Schrems II Case that any law permitting interference with the exercise of fundamental rights must, itself, set out the scope of that permitted interference, and that the European Commission review whether or not sufficient precision and clarity is provided under the IPA. The EDPB also sought clarification on whether data held by establishments of telecommunications operators outside the UK could be requested by competent UK authorities under UK law, and EEA data thereby accessed.

The EDPB welcomed the UK's establishment of the Investigatory Powers Tribunal, an independent judicial body established under the Regulation of Investigatory Powers Act 2000 ('RIPA') which may hear cases on the use of investigatory powers by both law enforcement and intelligence bodies. In the EDPB's view, this constitutes a proper court under Article 47 of the Charter of Fundamental Rights of the European Union, offering individuals the right to an effective remedy. The introduction of Judicial Commissioners under the IPA to approve surveillance measures was further welcomed, but the EDPB requested clarity around the scenarios in which interception of data may take place without such prior approval, and assurance that appropriate safeguards ensuring an essentially equivalent standard of protection as in the EEA would exist in these circumstances. The EDPB expressed particular concern over 'bulk interceptions', i.e. collection of large volumes of unfiltered data, commenting that the Investigatory Powers Commissioner has not yet carried out a detailed examination of the selectors and search criteria for such interceptions.

Although the EDPB highlighted a considerable number of concerns in its opinion, this constituted a moderated version of its stance. Prior to its adoption of the opinion, the Commission reportedly advised the EDPB to moderate its criticisms of the standard of data protection provided by the UK, on the basis that UK law mirrors EU data protection standards almost exactly. A particular concern of the Commission was that a determination that the UK was not adequate would disincentivise other jurisdictions from aligning themselves with the EU regime in the hope of achieving their own adequacy decision.

The EDPB's list of requests for clarification indicated that an adequacy decision is likely to be intensely scrutinised over the next few years, with even small deviations from the current regime noted by regulators in Member States for the purposes of an adequacy review in four years' time. This is an issue that should continue to be monitored.

Bridget Treacy Partner
[email protected]
Olivia Lee Associate
[email protected]
Hunton Andrews Kurth, London