Following Brexit, the United Kingdom withdrew from the European Union on 31 January 2020. Under the EU-UK Withdrawal Agreement, a transition period was created during which EU law continued to apply in the UK, which ended on 31 December 2020.
As of 1 January 2021, personal data transfers to the UK have been governed by the EU-UK Trade and Cooperation Agreement (TCA). The TCA provides an interim regime (a ‘bridging clause’) ensuring the continuity of data flows between the European Economic Area (EEA) and the UK, with no need for companies and public authorities to use any transfer tools that would otherwise be required under the General Data Protection Regulations (GDPR) or the Law Enforcement Directive (LED) to transfer personal data outside the UK. This solution is only applicable for six months and so long as the UK does not change its current data protection regime. Thus, the UK must continue to apply the same data protection rules, based on EU law, that were applicable during the transition period.
On 19 February 2021, the European Commission (EC) launched the procedure for the adoption of two adequacy decisions for transfers of personal data from the EEA to the United Kingdom, under both the GDPR and the LED.
The adequacy process involves:
- a proposal from the EC;
- obtaining an opinion from the European Data Protection Board (EDPB);
- an approval from a committee of representatives of the EU Member States; and
- the adoption of the two adequacy decisions by the EC.
The effect of an adequacy decision is that personal data can flow from the EEA to that third country (ie the UK) without requiring any further safeguards. Adequacy status is conferred if a country outside the EU is deemed to offer adequate levels of data protection (ie that country’s data privacy rules are essentially aligned with the fundamental principles enshrined in the GDPR). Note that adequacy decisions do not cover data exchanges in the law enforcement sector as the LED governs such transfers.
Without adequacy, the UK becomes just another country in which any GDPR-covered data transferred to the UK must be accomplished by the use of appropriate safeguards to protect the personal data of EU citizens. Under GDPR Article 6, which covers the lawfulness of processing, data controllers must evaluate whether appropriate safeguards are in place to protect personal data before further processing is permitted (processing for a purpose other than originally collected). The appropriate safeguards specified by GDRP Article 6 are encryption and pseudonymisation.
GDPR Article 46, which covers transfers subject to appropriate safeguards, states that absent an adequacy decision under Article 45, personal data may only be transferred to a country outside the EU if the data controller or processer has provided ‘appropriate safeguards’ for that data. Under Article 46 there are technically eight possible appropriate safeguards, two of which require approval from a competent supervisory authority. However, to date, the most commonly used safeguards are binding corporate rules and standard contractual clauses (following the Schrems II ruling, new standard contractual clauses have yet to be formally issued by the EC).
So far, the EC has only conferred adequacy status to Andorra, Argentina, Canada (qualified), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. In March 2021, the EC and South Korea finalised adequacy talks and the EC must now launch the decision-making procedure to adopt the adequacy decision.
On 13 April 2021, the EDPB adopted two opinions in relation to the UK's bid to obtain adequacy status:
- Opinion 14/2021 is based on the GDPR, and assesses general data protection aspects as well as government access to personal data transferred from the EEA for the purposes of law enforcement and national security, including the legal remedies available to individuals in the EEA. The EDPB also assessed whether safeguards provided under the UK legal framework are in place and effective. The main reference used by the EDPB for this opinion is GDPR Adequacy Referential (adopted in February 2018) and the EPDB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. View Opinion 14/2021.
- Opinion 15/2021 is based on the LED, discussions with the UK government and an assessment of the UK data protection framework. It analyses the draft adequacy decision in relation to Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive, as well as the relevant case law reflected in Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. The main reference used by the EDPV for this opinion is its LED Adequacy Referential (adopted in February 2021). View Opinion 15/2021.
The EDPB recognised that the UK has quite closely mirrored the GDPR and LED in its data protection framework and when analysing its law and practice, the EDPB identified substantial equivalencies. In its opinions, the EDPB noted key areas of strong alignment between the EU and UK data protection frameworks on key provisions such as: grounds for lawful and fair processing for legitimate purposes; purpose limitations; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling.
While laws can evolve, if this alignment is maintained then there is no reason why the UK should not obtain and maintain adequacy. However, the EC will monitor data privacy conditions in the UK and if there are substantive deviations from the standards of protection currently provided to personal data transferred from the EU, its adequacy status can be amended, suspended or revoked.
The EDPB was clear that several items must still be assessed and monitored by the EC before a decision is made to confer adequacy to the UK based on the GDPR. Its concerns focus on, among others, the: (1) ‘immigration exemption’ and its consequences on restrictions on data subject rights; and (2) onward transfers of EEA personal data transferred from the UK to third countries to ensure that an essentially equivalent level of protection will continue to be provided. These concerns exist particularly in light of the UK’s international data-sharing agreements with third countries, such as the UK-US CLOUD Act or the UK-US Communication Intelligence Agreement. The EDPB has particular concern where such agreements are secret and inaccessible by the public.
As to access to personal data transferred to the UK by public authorities for national security purposes, the EDPB welcomed the establishment of the UK Investigatory Powers Tribunal (IPT), as it is not only competent to hear cases on the use of investigatory powers by law enforcement authorities but also by intelligence services. Additionally, the EDPB praised the introduction of ‘Judicial Commissioners’ in the Investigatory Powers Act 2016 (IPA 2016) as a significant improvement because an important function of the judicial commissioners is to approve different surveillance measures, including targeted interception and bulk acquisition of communication data in individual cases.
However, the EDPB expressed reservations about scenarios where lawful data interceptions are possible without approval by the Investigatory Powers Commission (IPC) or the Judicial Commissioners. The EDPB expressed a desire for the EC to ensure the UK legal framework provides appropriate safeguards, including oversight and individual redress to ensure protection that is essentially equivalent to that in the EU.
The EDPB has also identified a number of points requiring further clarifications and/or monitoring, including: 1) bulk interceptions; 2) independent assessment and oversight of the use of automated processing tools; and 3) safeguards provided under UK law in relation to overseas disclosures, particularly in light of the application of national security exemptions.
Moreover, the EDPB expressed concerns that in the case of overseas disclosures of personal data, the application of a national security exemption provided under UK law could abrogate safeguards that ensure respect for the principles of purpose limitation, necessity and proportionality. It also has concerns whether sufficient rights of individuals, oversight and redress are provided or respected in third-country data destinations. Thus, the EDPB recommended that the EC examine the overall safeguards provided under UK law in relation to overseas disclosures, in particular in light of the application of national security exemptions.
The EDPB has recognised many areas of convergence between the UK and the EU data protection regimes and considers the UK adequacy assessment unique because of the UK’s prior membership in the EU. The EDPB has also recommended that the EC address the challenges it has identified in its opinions and closely monitor developments in the UK that may affect the equivalence of personal data protections in the UK and take appropriate action.
The UK is well on its way down the road to adequacy. The opinions adopted by the EDPB on 13 April 2021 bode well for the UK and as long as the UK continues to adhere to the spirit of the principles of the GDPR and LED, it will likely be conferred with adequacy status by the EC.