Last month, the European Commission announced a preliminary determination that the United Kingdom (UK) provides adequate privacy protections, a critical step for personal data transfers between the European Union (EU) and the UK after Brexit. The EU’s General Data Protection Regulation (GDPR) restricts the transfer of personal data outside the European Economic Area (EEA), and the UK’s recent departure from the EU means that companies will need a valid mechanism by which to transfer personal data to the UK—now considered a “third country” for purposes of the GDPR. Although companies can rely upon Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), an adequacy determination will significantly ease the burden on European companies transferring data to the UK. It may also provide a guidepost for European and American officials negotiating a replacement to the EU-US Privacy Shield, which the Court of Justice for the European Union (CJEU) struck down last summer.
Companies should be mindful that the UK has adopted a regime substantially similar to GDPR, and even with an adequacy decision, there may be new obligations created post-Brexit with respect to the processing of personal data of UK residents. One of the new obligations would be to identify a separate data privacy representative in the UK from the data representative in the EU.
Explanation of the Draft Adequacy Decision
By adopting a draft adequacy decision after months of careful assessment, the European Commission made a big stride towards determining with binding effect that “the UK ensures an essentially equivalent level of protection to the one guaranteed under the GDPR.” The Commission emphasized that the UK remains part of “the European privacy family” and that the UK’s data privacy laws, including the “UK GDPR” and the UK Data Protection Act 2018, have been significantly influenced by the EU’s privacy regime.
The draft adequacy decision will next be reviewed by the European Data Protection Board, before being reviewed by a committee of EU Member States. Upon final approval by the Commission, the adequacy decision will be initially valid for four (4) years, after which it can be renewed. The Commission will retain jurisdiction to review ongoing adequacy, including stringent monitoring and review mechanisms, as well as the ability to revoke the adequacy determination.
The draft adequacy decision is significant for two main reasons. First, it is a step towards a final adequacy decision that would allow companies to continue transferring data from the EU to the UK without the need to deviate radically from past practice. Had the Commission deemed the UK’s privacy protections inadequate, companies would have had to rely upon SCCs, BCRs, and other less efficient and more expensive data transfer mechanisms.
Second, it may point the way towards a potential replacement of the EU-US Privacy Shield. In striking down the EU-US Privacy Shield, the CJEU focused on the United States’ intelligence laws and the absence of an independent supervisory authority to enforce privacy protections. The UK has a robust national security apparatus and a government structure where the data protection authority (the Information Commissioner) enjoys a great deal of independence, but is still subject to removal by the Queen. The adequacy decision addressed these two issues, explaining that the UK Data Protection Act 2018 imposes appropriately tailored privacy measures for national security activities and that the Information Commissioner has sufficient independence and authority to enforce privacy protections. While these structures are different and more robust than those that exist in the United States, they at least offer an example of what will satisfy the European Commission. It is worth noting, however, that the European Commission also approved the EU-US Privacy Shield, only to have the CJEU ultimately strike it down. As the UK adequacy decision, if and when it becomes final, will be challenged in court by privacy advocates, and there may still be future hurdles for EU-UK data transfers.
Companies should welcome the draft adequacy decision, but be mindful that steps still need to be taken to ensure compliance with the UK GDPR and that transatlantic data transfers remain complicated. Companies should:
- Evaluate whether they need to establish a separate data representative in the UK.
- Ensure they are in a position to implement alternative data transfer mechanisms, such as SCCs and BCRs, should there be an unexpected impediment to a final UK adequacy decision.
- Stay apprised of developments with transatlantic data transfers, including the impending revisions to the SCCs.
With data privacy being one area of potential early agreement as part of a broader reset of transatlantic relations under the Biden administration, there are likely to be positive developments in the coming year.