Background
What does this mean?
What do organisations need to do?
What should organisations be aware of?
This article discusses how the European Commission's UK adequacy decisions could affect organisations that are subject to the EU General Data Protection Regulation (GDPR) and organisations that do business with those that are subject to the GDPR.
The European Commission has adopted two adequacy decisions covering transfers of personal data from the European Union to the United Kingdom. One agreement covers transfers made under the GDPR and the other covers transfers made under the Law Enforcement Directive. The decisions formally recognise that the United Kingdom provides an "essentially equivalent level of protection" to personal data flowing from the European Union.
The United Kingdom had already made an equivalent decision about countries in the European Economic Area prior to its exit from the European Union, meaning that transfers could flow easily from the United Kingdom to those countries. These decisions complete that circle – and were passed on 30 June 2021, just before the end of the "bridge" agreed as part of the Trade and Cooperation Agreement.
This means that organisations can continue to facilitate transfers of personal data from the European Union to the United Kingdom without the need for specific transfer tools and supplementary measures.
What do organisations need to do?
If they have not already done so, organisations should take the opportunity to review and update their article 30 record of processing activities accordingly. In particular, organisations should identify any transfers of personal data from the European Union to the United Kingdom and record that those transfers are taking place on the basis of an adequacy decision under article 45(1) of the GDPR.
Organisations should also review the new EU standard contractual clauses for international data transfers and ensure that they understand how they should be used alongside revised guidance from the European Data Protection Board for other transfers from the European Union (for further details please see "New rules on protection of transfers of personal data outside European Union").
What should organisations be aware of?
The adequacy decisions contain a so-called "sunset clause", which means that they will expire in four years' time (starting from 28 June 2021). During the four-year term, the European Commission will monitor legal developments in the United Kingdom and can intervene to review the adequacy finding at any point if it finds that there has been deviation from the United Kingdom's privacy protections. In December 2024, if the adequacy of the United Kingdom regime remains "factually and legally justified", the European Commission should initiate the procedure to extend the decision, in theory by a further four years. Otherwise, the decisions will expire at that point.
Organisations should also be aware that the GDPR adequacy finding excludes transfers for the purposes of UK immigration control. This reflects a recent UK Court of Appeal judgment which held that the "immigration exemption" contained in Schedule 2(4) of the UK's Data Protection Act 2018 is incompatible with article 23 of the GDPR. Therefore, organisations that are transferring personal data from the European Union to the United Kingdom for the purposes of maintaining effective immigration control or investigating or detecting activities that would undermine the maintenance of effective immigration control will need to explore and implement other transfer tool options in order to make the transfer(s) lawful.
The adequacy agreements refer to the United Kingdom's current data protection framework (which continues to be based on the GDPR and the Law Enforcement Directive) and the United Kingdom being subject to the jurisdiction of the European Court of Human Rights as key factors in support of the adequacy findings. Therefore, concerns are being expressed over the longevity of the adequacy agreements.
Updating their article 30 records of processing now and taking this into consideration for any arrangements that might extend beyond 27 June 2025 could benefit organisations if, for any reason during this period, the European Commission decides to intervene or not to renew, allowing organisations to keep them under review and, if necessary, start planning for the sunset in good time.
For further information on this topic please contact Paula Barrett or Gayle McFarlane at Eversheds Sutherland by telephone (+44 20 7919 4500) or email ([email protected] or [email protected]). The Eversheds Sutherland website can be accessed at www.eversheds-sutherland.com.