The EU Commission has formally adopted two UK adequacy decisions, one under the GDPR and the other under the Law Enforcement Directive (LED). This means that personal data can continue to flow freely from the EU to the UK, without putting in place additional safeguards, such as the Standard Contractual Clauses.
The adequacy decisions were adopted just two days before the interim solution agreed under the EU-UK Trade and Cooperation Agreement, permitting the free flow of data from the EU to the UK, was due to expire on 30 June 2021.
UK ensures an adequate level of protection for personal data
The European Commission concluded that the UK ensures an adequate level of protection for personal data transferred within the scope of the GDPR from the EU to the UK. The UK’s data protection system continues to be based on the same rules that were applicable when the UK was an EU Member State. It has fully incorporated the principles, rights and obligations of the GDPR and the LED into its post-Brexit legal system.
Four year duration only
Unlike prior adequacy decisions, the UK adequacy decisions include a ‘sunset clause’, limiting their duration to four years after their entry into force (i.e. until 27 June 2025). After that period, the adequacy findings may be renewed. However, only if the UK continues to ensure an adequate level of data protection. During this period, the Commission will closely monitor legal developments in the UK, including in regard to onward transfers of personal data. The Commission may suspend, repeal or amend the adequacy decisions at any point, if the UK deviates from the level of protection currently in place. In the event that the Commission decides to renew the adequacy finding, the adoption process would start again.
Public Authority Access to Personal Data
The European Commission has confirmed that, in its view, the UK law provides “strong safeguards” in respect of access by public authorities to personal data for national security reasons. In particular, the Commission notes that the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body, and any measure must be necessary and proportionate. In addition, any person who believes that they have been subject to unlawful surveillance can bring an action before the Investigatory Powers tribunal.
The UK is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
Transfers for UK immigration control excluded
Transfers of personal data for the purposes of UK immigration control are excluded from the scope of the UK adequacy decision adopted under the GDPR, in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area.
The adoption of the UK adequacy decisions will be widely welcomed by businesses, as it relieves them of the need to put in place additional safeguards in respect of EU to UK transfers. The UK Information Commissioner has commented: “Approved adequacy means that businesses can continue to receive data from the EU without having to make any changes to their data protection practices…Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently.”