On 19 February 2021, the European Commission (“Commission”) published a draft adequacy decision (“Draft Decision“) in respect of the data protection framework in the United Kingdom (“UK“). The assessment is made both in relation to the EU General Data Protection Regulation 2016/679 (“GDPR“) and the Law Enforcement Directive 2016/680 (“LED“).
The adoption of the adequacy decision must be approved by June 2021 to ensure the continuity of data transfers between the European Union (“EU“) and the UK.
Data transfers between the EU and the UK have become a matter of concern and uncertainty in the post-Brexit era. As a result of Brexit, the UK became a “third country” under the GDPR.
In turn, this meant that data could no longer flow freely between the UK and other EU states, but that transfers to a third country must receive adequate protection through the mechanisms established by the GDPR, namely: (i) the use of Standard Contractual Clauses; (ii) Binding Corporate Rules (both as defined in the GDPR); or (iii) an adequacy declaration issued by the Commission.
The UK initiated the adequacy assessment process in March 2020, when it started to share information on the national data protection framework with the Commission.
Pursuant to the trade deal agreed between the EU and the UK in December 2020, free flow of data between the EU and UK can continue until April 2021, extendable to 30 June 2021 (the “Interim Period“). Once this Interim Period has expired, certain conditions established in the GDPR must be met to ensure the legality of such transfers.
DATA REGULATION FRAMEWORK IN THE UK
Following the end of the transition period on 31 December 2020, the regulatory framework applicable to data protection in the UK include the following:
- the GDPR in its entirety (including its recitals) (the “UK GDPR“), as incorporated into the law of the UK under the EU (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together “Exit Regulations“);
- Data Protection Act 2018 (“DPA 2018“), as amended by the Exit Regulations;
- secondary legislation that may be introduced by ministers of the UK in accordance with the Exit Regulations;
- codes of practice and other guidance adopted by the Information Commission; and
- the European Convention of Human Rights (“ECHR“) and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ETS 108, 28.01.1981(“Convention 108“).
During the assessment period of the UK’s legal and regulatory data protection landscape, the Commission concluded that:
- the UK regulatory framework provides a satisfactory level of protection for personal data within the meaning of the GDPR;
- the oversight mechanisms and redress avenues available in the UK allows data subjects to obtain access to their personal data collected for different purposes and require rectification of any information; and
- any impact on the fundamental rights of the individuals whose personal data are transferred from the EU to the UK for public interest purposes will be limited to the minimum necessary to reach the relevant objective.
The Commission highlights that the decision was reached on the basis that the UK currently adheres to the ECHR and is subject to the jurisdiction of the European Court of Human Rights and such scenario must perdure on a continued basis.
CONSEQUENCES OF THE ADEQUACY DECISION
If a final adequacy decision (the “Decision“) is formally adopted, the Decision will be binding on all organs of the EU 27 member states to which it is addressed. As such, during the period in which the Decision is valid, data may be freely transferred between the UK and the EU members states without the need of complying with any additional requirements such as the Standard Contractual Clauses.
The Decision will apply for a period of four years from the effective date renewable for another four years if the Commission deems that the level of data protection provided by the UK is still satisfactory.
On 16 April 2021, the European Data Protection Board (“EDPB“) issued two opinions on the Commission’s Draft Decision. The first opinion (14/2021) covers matters related to the GDPR and general data protection elements. The second opinion (15/2021) relates to the LED.
The EDPB recognises that the EU and UK frameworks around data protection are broadly equivalent. Nonetheless, the EDPB highlights some areas of concern such as the UK liberty to diverge from the GDPR standards in the future.
In light of this, the EDPB encourages the Commission position of granting adequacy subject to ongoing monitoring and reviews.
The final step required before the Commission can formally adopt the Decision is the approval of the committee of representatives of EU member states.
At this stage, there is no information on how long it will take for the final step to be finalised. However, it is expected that the process will be concluded before 30 June 2021, when the interim period comes to an end.
To review the Draft Decision please click here.
For more information, and any guidance or advice on transfers of personal data Cleveland & Co External in-house counsel™, your specialist outsourced legal team, are here to help.