Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU-UK: Analysing the UK adequacy decision and what's next for UK data protection

The European Commission announced, on 28 June 2021, that it had adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and one under the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680). The final decisions arrived four months after the Commission's draft positive adequacy decisions, and two days before the expiration of the interim period agreed between the EU and UK providing for the free flow of data. In this insight, we assess the impact and provisions of the GDPR adequacy decision, while also taking a look at several other developments from recent months that provide context to the decision, as well as the future development of the UK data protection regime and data flow policies.

bankkgraphy / Essentials collection / istockphoto.com

Impact

Following the end of the Brexit transitional period on 31 December 2020, the UK became a third country within the meaning of the GDPR and the Law Enforcement Directive, meaning that the free and unconditional flow of data from the EU to the UK became contingent on a positive adequacy decision from the Commission.

However, EU-UK data flows were able to continue due to a provision in the EU-UK Trade and Cooperation Agreement ('the Trade Agreement'), enabling 'the continued free flow of personal data from the EU and EEA EFTA States to the UK until adequacy decisions are adopted, and for no longer than six months.'

This interim period was set to end on 30 June. In the event of a negative adequacy decision, the free flow of data guaranteed through the interim period would have come to an end and, in order to secure data EU-UK data flows, organisations would have had to rely on additional safeguards, such as Standard Contractual Clauses ('SCC') in order to secure data, a mechanism which may also require additional operational processes in light of the Court of Justice of the European Union's ('CJEU') Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). With adequacy now granted to the UK, the free flow of data can continue uninterrupted without the need for additional safeguards.

Elaborating on the impact of this, Jimmy Orucevic, Data Protection Consultant at KPMG Switzerland, told OneTrust DataGuidance, "The UK adequacy decision is a very big deal for any business that operates in the UK, as this decision will spare companies the time-consuming case-by-case transfer impact assessment that currently affects many data transfers to other third countries. It further brought legal certainty to businesses since the interim solution ended on 30 June 2021."

Key developments and divergences between draft and final decision

The process towards UK adequacy formally began on 19 February 2021, with the Commission issuing two draft adequacy decisions. In its draft decisions, the Commission reviewed the UK's law and practice on personal data protection, including the rules on access to data by public authorities, and concluded that the UK ensures an essentially equivalent level of protection to the one guaranteed under both the GDPR and the Law Enforcement Directive, notably referencing the fact that prior to Brexit, the UK was subject to the EU data protection legal framework, which, it noted, is now broadly mirrored by the UK's data protection with the creation of the UK GDPR.

Between then and the adoption of the final adequacy decision, there have been several key developments, as outlined below.

EDPB's opinion and Parliament's resolution

In particular, the European Data Protection Board ('EDPB') issued, on 14 April 2021, an opinion noting alignment between the EU and the UK legal frameworks but nonetheless highlighting several concerns with respect to the UK's data protection regime.

Furthermore, the European Parliament, issued, on 21 May 2021, a resolution reiterating many of the concerns highlighted by the EDPB and, in light of the same, urging the Commission to amend its draft adequacy decisions. In particular, the resolution highlighted issues related to the enforcement of the law by the UK Information Commissioner's Office and the lack of limitations on the use of UK bulk data powers.

In addition, Parliament expressed concerns over a number of issues regarding UK law and policy with respect to the onward transfer of data. In particular, the resolution contends that UK rules on the sharing of personal data under the Digital Economy Act 2017 and on onward transfers of research data are not 'essentially equivalent' to the rules set out in the GDPR, as interpreted by the CJEU. Additionally, the resolution highlights that the UK has granted itself the right to declare that other third countries or territories provide adequate data protection, irrespective of whether the third country or territory in question has been held to provide such protection by the EU, specifically noting that the UK has already declared that Gibraltar provides such protection.

The resolution outlines concerns regarding the possible bypassing of EU rules on transfers to countries or territories not deemed adequate under EU law.

Courts issue decisions on UK surveillance and immigration laws

On 25 May 2021, the Grand Chamber of the European Court of Human Rights ('ECtHR') issued its judgment in the case of Big Brother Watch and Others v. the United Kingdom (application Nos. 58170/13, 62322/14 and 24969/15), in which it held that several aspects of the UK surveillance regime were contrary to the European Convention on Human Rights ('ECHR').

On 26 May 2021, the England and Wales Court of Appeal (Civil Division) issued its judgment allowing the appeal in The Open Rights Group & Anor, R (On the Application Of) v The Secretary of State for the Home Department & Anor [2021] EWCA Civ 800, ruling that the so-called immigration exception, a statutory restriction on data protection rights in the context of immigration, which disapplies some data protection rights where applications would likely prejudice immigration control, is an unauthorised derogation from the fundamental rights conferred by the GDPR, and therefore incompatible with the same.

Regulatory taskforce report

Both the EDPB and Parliament highlighted that the UK Government had previously expressed an interest in possible divergences from the EU data protection framework and invited the Commission to closely monitor any such evolution in the law and to suspend, amend, or repeal the adequacy decision if necessary.

Against this backdrop, the UK Taskforce on Innovation, Growth and Regulatory Reform published, on 16 June 2021, a report containing recommendations on how the UK can reshape its approach to regulation. Notably, the report calls for a new data protection framework, a UK Framework of Citizen Data Rights, to replace the UK GDPR, describing it as 'unnecessarily restricting the use of data for worthwhile purposes'. More specifically, the report proposes reform to give stronger rights and powers to consumers and citizens, placing responsibility on the companies using data, and using data for innovation and in the public interest. Furthermore, the report indicates concerns that the UK GDPR needs to be revised for artificial intelligence and growth sectors to enable innovation in the UK. To this end, the report suggests that Article 22 of the UK GDPR should be removed to allow focus on the legitimacy of automated decision-making.

The decision

In its press release, the Commission highlighted that, among other decisive factors, the UK's data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU, and the UK has fully incorporated the principles, rights, and obligations of the GDPR and the Directive into its post-Brexit legal system.

In addition, the Commission outlined that personal data can now flow freely from the EU to the UK where it benefits from an essentially equivalent level of protection to that guaranteed under EU law, whilst also noting that the adequacy decisions can facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information.

Immigration exception

The Commission outlined that its decision takes account of the Court of Appeal's judgment on the GDPR-compatibility of the immigration exception to data subject rights. In particular, the decision expressly excludes transfers for the purposes of UK immigration control from the scope of the decision. Further to this, the Commission outlined that it will reassess the need for this exclusion once the situation has been remedied under UK law.

Surveillance regime

The Commission highlighted in its press release that '[w]ith respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards.' In particular, the decision addresses the UK Government's bulk data powers and posits that the UK's regime on the same 'incorporates limitations and safeguards designed to ensure that access to data is not given on an indiscriminate or unjustified basis.' Furthermore, the decision highlights in its conclusion that the Commission 'considers that any interference with the fundamental rights of the individuals whose personal data are transferred from the EU to the UK by UK public authorities for public interest purposes, in particular law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.'

Adequacy and onward transfer policies

The Commission's decision states 'as regards the future evolution of the UK's international transfers regime – through the adoption of new adequacy regulations, the conclusion of international agreements or the development of other transfer mechanisms – the Commission will closely monitor the situation, assess whether the different transfer mechanisms are used in a way that ensures the continuity of protection, and, if necessary, take appropriate measures to address possible adverse effects for such continuity.'

Additional safeguards and provisos

The decision includes a so-called 'sunset clause', which limits its duration to four years after its entry into force. The decision highlights that after that period, the adequacy findings will only be renewed if the UK continues to ensure an adequate level of data protection.

The decision further emphasises that during these four years, the Commission will continue to monitor the legal situation in the UK.

Future of UK data protection framework

Following the adoption of the Commission's decision, the UK Government issued a statement welcoming the decision and its impact, as well as outlining its intentions with respect to data protection and data flow policies going forward. The statement calls for an 'approach [that] will seek to minimise burdens on organisations' and highlights that 'all future decisions [related to data flows] will be based on what maximises innovation and keeps up with evolving tech.'

In addition, the statement highlights 'plans to promote the free flow of personal data globally and across borders, including through ambitious new trade deals and through new data adequacy agreements with some of the fastest growing economies, while ensuring people's data continues to be protected to a high standard.'

Tim Hickman, Partner at White & Case LLP, told OneTrust DataGuidance that there is a "clear tension between the EU's position […] and the UK's position [and that], as with many aspects of the post-Brexit UK-EU relationship, the key issue is the magnitude of any changes. If the UK makes minor adjustments to its privacy rules to address practical issues, it is unlikely that the Commission will intervene. However, if the UK relaxes or revises its laws in ways that are perceived as undermining levels or protection for personal data, or giving the UK an unfair competitive edge, then the Commission may feel forced to take action."

Furthermore, Hickman concluded, "There is a real risk that, even before the UK has had a chance to make any changes to its regime, there will be legal claims challenging the validity of the Commission's adequacy decision. As we saw with the Schrems I and Schrems II decisions, the CJEU is willing to strike down adequacy decisions where it considers that personal data is not being afforded an appropriate level of protection. In addition, the adequacy decision has a shelf-life of four years, and there is a real possibility that, even if it is not overturned in that time, it might not be renewed. All of this leads to significant uncertainty for many businesses regarding the transfer of data between the EU and the UK. Given these uncertainties, and the substantial recent developments in the form of new SCCs and [the EDPB's] guidance on supplementary measures, we expect turbulence to continue on data transfer issues for the foreseeable future."

Alexis Galanis Privacy Analyst
[email protected]

Comments provided by:

Tim Hickman Partner
[email protected]
White & Case LLP

Jimmy Orucevic Data Protection & Privacy Consultant
[email protected]
KPMG, Switzerland