The United Kingdom (UK) Adequacy Decisions mean that personal data can continue to flow freely from the European Economic Area (EEA) to the UK. The UK Adequacy Decisions came as a relief to the many hyper-connected Irish and European businesses transferring data to the UK on a daily basis.
The UK Adequacy Decisions also appear to have laid to rest, at least for the time being, any questions relating to the UK’s surveillance regime by recognising that the UK legal system provides strong safeguards in respect of access to personal data by public authorities and that the collection of data by intelligence authorities requires prior authorisation by an independent judicial body.
In the latest on our series on data transfers, we provide some insight on, and discuss the practical effects of the UK Adequacy Decisions.
Legal backdrop to the UK Adequacy Decisions
Once the Brexit transition period ended on 31 December 2020, the UK became a “third country” in the eyes of the GDPR. This meant that transfers of personal data from the EEA to the UK would be restricted unless one of the data transfer mechanisms in Chapter V GDPR was applicable.
Under Article 45 GDPR, the European Commission (EC) can decide whether a third country offers an adequate level of data protection. Countries that benefit from an adequacy decision are considered to have national laws essentially equivalent to those that safeguard personal data inside the EEA, for example, Switzerland. See the full list of EC adequacy decisions here.
For third countries like the United States, where no EC adequacy decision under Article 45 GDPR exists, data transfers must be legitimised on the basis of another transfer mechanism in Chapter V GDPR. This can include Standard Contractual Clauses, Binding Corporate Rules, or Article 49 derogations. However, these derogations can only be relied upon in limited circumstances. So, while the lack of an adequacy decision does not foreclose any data transfer to this country, it entails additional costs and resources for companies.
As part of the EU-UK Trade and Cooperation Agreement which applied provisionally from 1 January 2021 once the Brexit transition period ended, the EU agreed to delay GDPR transfer restrictions until 30 June 2021. This was known as the Bridge. This enabled personal data to flow freely from the EEA to the UK until either the UK Adequacy Decisions were adopted, or the Bridge ended.
The UK Adequacy Decisions
The UK Adequacy Decisions confirm that the UK offers levels a level of protection for personal data which is essentially equivalent to those guaranteed under EU law.
Some key points from the GDPR UK Adequacy Decision are:
• The UK’s data protection system continues to be based on EU standards. The UK has fully incorporated the principles, rights, and obligations of the GDPR and the LED into its post-Brexit legal system (the ‘UK GDPR’ is based on EU legislation)
• The UK system provides strong safeguards with respect to access to personal data by public authorities in the UK, such as:
- Data collection by intelligence agencies is, in principle, subject to prior authorisation by an independent judicial body
- If data subjects, companies, organisations, etc. feel that they have been subjected to unlawful surveillance, they may bring an action before the Investigatory Powers Tribunal
- The UK also remains subject to the jurisdiction of the European Court of Human Rights and must adhere to the European Convention on Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
• The UK Adequacy Decisions are the first EC adequacy decisions to contain a ‘sunset-clause’. The sunset clause strictly limits their duration to four years. After this period, the adequacy findings may be renewed if the UK continues to ensure an adequate level of data protection
• During the four year period, the EC will closely monitor the legal developments in the UK. This includes having regard to onward transfers of personal data, how individual rights are exercised, and access by public authorities. The EC may suspend, repeal, or amend the adequacy decisions at any point, if the UK deviates from the level of protection currently in place. This monitoring will be particularly important given the UK government’s indication that it wants to enter into its own adequacy arrangements. This would raise concerns that the UK may be used as a “back door” to transfer EU data to “unsafe” jurisdictions, and
• Lastly, the criticised data transfers for immigration control practised by the UK are excluded from the material scope of the GDPR UK Adequacy Decision until this situation is remedied under UK law following a recent decision in the UK
What are the practical effects of the UK Adequacy Decisions on for your organisation’s data transfers to the UK?
For the time being, if your organisation transfers EEA personal data to the UK, you can breathe a sigh of relief as the UK Adequacy Decisions mean that personal data can continue to flow from the EEA to the UK without utilising any of the GDPR’s additional transfer safeguards. Consequently, there are no additional costs or measures required. As summarised by the UK’s data protection supervisory authority, the Information Commissioner’s Office: “Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently”.
More broadly, data transfers continue to be a hot topic in Europe. On foot of the CJEU decision in Schrems II, regulators are frequently investigating compliance with the GDPR’s data transfer requirements. Organisations should ensure that they have reviewed their data transfers and assessed whether their data transfer mechanisms are sufficient. For Irish and European businesses transferring data to the UK, the UK Adequacy Decisions are a welcome outcome.