On 18 February, the European Commission published its draft adequacy decision in respect of the United Kingdom. This is a mechanism set out under both the EU and UK versions of the GDPR, to allow for data to flow freely from the European Economic Area to a third country (such as the UK following Brexit) that the EU has deemed to have an 'adequate' standard of data protection law, without the need for additional safeguards. If the full decision is granted by the European Commission, this will mean that data flows from the EEA to the UK will be able to continue without any additional protection mechanisms (for example, the Model or Standard Contractual Clauses in place).
What is the current position for EU/UK data transfers?
After the end of the transition period, as part of the EU-UK Trade and Cooperation Agreement, the UK was granted a grace period (with some caveats) for no longer than six months, which meant that UK organisations could continue to process data from, and exchange data with, the EEA. The UK has previously announced that it has granted 'adequacy' for transfers from the UK to the EEA, but the EU has not previously confirmed whether it would reciprocate this decision.
In practice, this means that current data flows between the UK and EEA have been allowed to continue, but there was a risk that data would be unable to be transferred from the EEA to the UK once the grace period expired without businesses putting in place additional safeguards required by both UK and EU data protection law. If the grace period expired without the UK and EU agreeing a solution for data flows (such as an adequacy decision), this would mean that business would have to contend with an additional layer of complexity for business relationships with the EEA. Currently the long stop date for the grace period is 30 June 2021.
We have previously discussed what the end of the transition period meant for data processing in the UK. For more information, see this blog post.
What has happened?
The question of whether the European Commission would grant adequacy has been a constant source of uncertainty for UK business throughout the Brexit process and negotiations (for example, see our commentary on the recent Privacy International case). In the absence of an adequacy decision, at the end of the grace period, all business in the UK accepting data from, and sending data to, the EEA would have to assess their data flows, implement new layers of security (both technical and legal) and potentially risk assess all of these transfers.
The new draft adequacy decision is good news for businesses looking to continue to transfer data between the UK and EEA, and is the biggest indicator to date that the European Commission will grant the UK adequacy, and thereby continuing to permit transfers of data from the EEA to the UK without the need for additional regulatory barriers. In effect, a formal adequacy decision would mean that the European Commission has recognised that the UK protects the privacy rights of individuals to an “essentially equivalent” standard as that set out in EU GDPR, and would mean that UK businesses do not need to put in place additional safeguards to protect the personal data of individuals based in the EEA.
The adequacy decision is not perpetual. The European Commission has also retained the right to review the decision every four years. This will be especially relevant if the UK begins to diverge from the EU, as it starts to enact its own legislation and adopt a body of case law outside of the retained body of EU case law.
What next?
The published text is currently in draft and, although this is a step in the right direction, the UK still does not have an adequacy decision in its favour. The European Commission’s draft adequacy decision will now be reviewed by the European Data Protection Board.
The European Data Protection Board does not have the power to block an adequacy decision outright, but the European Commission is likely to take into account its recommendations when deciding on the final form of the adequacy decision. Once this process has been completed, the adequacy decision must be approved by a committee of representatives of the EU Member States.
Finally, even if adequacy is granted, the continued ability to freely transfer data to and from the EEA will still have an ongoing level of uncertainty, as the European Commission has retained the power to review its positions every four years and it is still open to legal challenges in the EU courts, as we saw in 2020 when the EU-US Privacy Shield was declared invalid by the CJEU.
As always, Burges Salmon’s Data Protection team is available to help with any next steps and advise your business.
This article was written by David Varney and Andrew Wilson.