On 28 June 2021, just two days before the interim EU-UK data transfer “bridging mechanism” expired under the Trade and Cooperation Agreement, the European Commission (EC) adopted two adequacy decisions for the UK to facilitate transfers of personal data from the EEA to the UK under the GDPR and the Law Enforcement Directive.
To the relief of business, and to bring to an end this particular stage of the journey, the adequacy decisions confirm that the UK offers levels of protection to personal data essentially equivalent to those guaranteed under EU law, without the need for transferring organisations to put in place further safeguards. To see how we got here, David Smith’s consideration of the draft decisions can be found here.
The EC notes that the UK’s data protection system continues to be modelled on the same rules that were applicable when the UK was a Member State of the EU, and that post-Brexit, the UK has incorporated the principles, rights and obligations of the GDPR and Law Enforcement Directive into its legal system. The adequacy decisions also recognise that the UK’s legal system provides strong safeguards in respect of access to personal data by public authorities and that the collection of data by intelligence authorities requires prior authorisation by an independent judicial body.
Interestingly, unlike any other adequacy decision adopted by the EC, the UK adequacy decisions include a ‘sunset clause’. The provision ensures that the adequacy decisions will automatically expire four years (on 27 June 2025) after becoming effective, with an option to renew if the UK’s law and practice continue to ensure an adequate level of data protection. The EC also retains the right to intervene if the UK does not meet the level of data protection currently in place, and the EC will continuously monitor how the UK privacy and data protection framework develops in the future. It therefore remains the case that the UK likely cannot diverge too far from its existing data protection regime without risking the adequacy decision – certainly something to consider in light of recent proposals for data protection reform from the Taskforce on Innovation, Growth and Regulatory Reform.
In adopting its final adequacy decisions, the EC has looked to keep pace with case law developments. Specifically, the scope of the EC’s adequacy decision does not cover data transfers for the purposes of UK immigration control, with the EC clarifying that the reason for this exclusion is in order to reflect the Court of Appeal’s recent judgment on the validity and interpretation of restrictions on data protection rights in this area. The EC notes that the exclusion of such data transfers from the adequacy decision will be reassessed when the issue has been remedied under UK law.
The ICO issued a statement commenting on the EC’s approval of the UK adequacy decisions, where it noted that the adequacy decisions enable business to continue to receive data from the EU without altering their current data protection practices.
See the European Commission press release here, the GDPR adequacy decision here, and the Law Enforcement Directive adequacy decision here. The ICO’s statement is available here.
