In this briefing, we consider the recently published EU adequacy decisions on personal data transfers from the EU to the UK (with a focus on the decision under the EU GDPR), as well as the EDPB’s final recommendations on supplementary measures for personal data transfers to third countries.
On 28 June, the long-awaited adequacy decisions concerning transfers of personal data from the EU to the UK were published. The European Commission has published one adequacy decision under the EU General Data Protection Regulation1 (EU GDPR) and one under the Law Enforcement Directive2 (the Directive). These mean that personal data can continue to be transferred seamlessly from the EU to the UK for the next four years, unless the European Commission determines that the UK data protection regime has deviated from the present level of protection. The European Data Protection Board (EDPB) has also recently published its final recommendations on supplementary measures to ensure equivalent levels of protection to data transferred to third countries. These recommendations provide additional guidance to data exporters when transferring personal data from the EU.
European Commission’s adequacy decisions for the UK
The adequacy decisions under the EU GDPR and the Directive contain detailed analyses of the UK data protection framework and conclude that the UK provides an adequate data protection regime to allow data transfers from the EU to the UK to continue unhindered. This follows several months of investigation and debate by the European Commission and European Parliament, as well as an opinion by the EDPB. Notably, the European Parliament passed a resolution in May 2021 arguing for the European Commission to amend its draft adequacy decision to address deficiencies identified in the UK data protection regime.3
The adequacy decisions recognise that the UK has retained the EU GDPR (as the UK GDPR) and the Directive, meaning that the UK’s laws (including the UK GDPR and the Data Protection Act 2018) are very similar to the EU’s laws in the area of data protection. In addition, the adequacy decisions recognise that the UK is subject to the jurisdiction of the European Court of Human Rights as well as the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
The adequacy decision under the EU GDPR analyses in detail the power of UK public authorities to access and collect personal data on national security grounds. The European Commission notes that this power is subject to several checks and safeguards, including an individual’s ability to bring an action before the Investigatory Powers Tribunal. The European Commission concludes that interferences with individual rights as a result of UK public authorities exercising these powers “will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists”.4 Notably however, data transfers from the EU to the UK for immigration control purposes are excluded from the scope of the adequacy decision as a result of the UK Court of Appeal’s judgment in The Open Rights Group & Anor, R (On the Application Of) v The Secretary of State for the Home Department & Anor  EWCA Civ 800. The Court of Appeal held that the immigration exemption under the Data Protection Act 2018 was incompatible with the UK GDPR and the European Commission will reassess this exclusion once UK legislators have addressed the issues raised in the judgment.
Both adequacy decisions contain ‘sunset clauses’, which mean that the decisions will require review after four years. This is the first time an EU adequacy decision has contained such a clause, and will mean that the UK must continue to demonstrate and ensure adequate levels of data protection. The European Commission will be monitoring the UK’s data protection regime and may intervene if it determines that the UK has deviated from the requisite protection level.
This feature of continued close monitoring of the UK data protection regime was recommended by the EDPB in its opinion on the European Commission draft adequacy decision under the GDPR. The EDPB raised particular concerns regarding the UK’s practices on bulk interception of data and onward transfers of data to other third countries (including the USA). The EDPB invited the European Commission “to monitor closely all relevant developments in the UK that may have an impact on the essential equivalence of the level of protection of personal data, and to take swiftly appropriate actions, where necessary.”5 It appears that the use of the new sunset clauses in the adequacy decisions is designed to address the EU’s concern that the UK’s data protection laws may diverge from the EU GDPR in the future.
European Data Protection Board’s final recommendations on supplementary measures
On 18 June, the EDPB adopted its final recommendations on supplementary measures to ensure compliance with data protection under the EU GDPR when personal data is transferred to third countries.6 We have in a previous article discussed the EDPB’s draft recommendations (published in November 2020) and set out below the key changes made in the final version.7
The final recommendations contain further provisions dealing with the situation where a third country’s public authorities interfere with the data transfer and how this affects the data exporter in determining whether the third country’s regime impinges on the effectiveness of the safeguards contained in the Article 46 EU GDPR transfer tool relied on. The recommendations emphasise that the safeguards must ensure effective protection of the personal data transferred in practice and notes three situations where an assessment of the third country’s regime will be particularly relevant:
- Where the third country’s legislation formally meets EU standards but is manifestly not applied/complied with in practice;
- Where the third country’s legislation is lacking and there are practices “incompatible with the commitments of the transfer tool”;
- The transferred data and/or the data importer fall or might fall within the scope of “problematic legislation” that does not provide for an essentially equivalent level of data protection.
The adequacy decisions and the EDPB recommendations will be welcomed by EU and UK businesses as personal data can continue to be transferred from the EU to the UK as before Brexit. This also puts the EU’s review of the UK data protection regime in line with the UK’s conclusion that EU data protection is adequate for personal data transfers from the UK to the EU. UK-based businesses should therefore continue to comply with the UK data protection regime and follow the Information Commissioner’s Office guidance on international data transfers.8