The European Commission has finally approved two decisions on 28 June granting the United Kingdom the cherished status of having “adequate” data protection laws so that transfers of personal data from the European Union are not restricted. The decisions follow months of negotiations after the Brexit transitional period ended on 31 December 2020 and before the temporary adequacy bridge is due to end on 30 June 2021.
The United Kingdom’s decisions, for processing under the UK implementation of the General Data Protection Regulation (GDPR) and under the Law Enforcement Directive, are limited to a four-year term, which is renewable subject to the United Kingdom retaining an adequate legal framework to protect personal data.
The decisions are based on the following considerations:
- The United Kingdom's data protection system continues to be based on the same rules that were applicable when the United Kingdom was a member state of the European Union. The United Kingdom has fully incorporated the principles, rights, and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
- With respect to access to personal data by public authorities in the United Kingdom, notably for national security reasons, the UK system provides for strong safeguards. In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body and claims can be brought in the Investigatory Powers Tribunal. The United Kingdom is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is the only binding international treaty in the area of data protection.
- For the first time, the adequacy decisions include a so-called “sunset clause,” which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, however, only if the United Kingdom continues to ensure an adequate level of data protection. During these four years, the European Commission will continue to monitor the legal situation in the United Kingdom and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the European Commission decide to renew the adequacy finding, the adoption process would start again.
Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. The European Commission will reassess the need for this exclusion once the situation has been remedied under UK law.
As we discussed in our prior LawFlash, the European Commission has now approved the new Standard Contractual Clauses for transfers of data from the European Union to “third countries” that are not deemed to have adequate data protection laws, such as the United States. The European Data Protection Board has also released its final guidance on measures to assess compliance with the GDPR and the use of SCCs by organisations. These EU SCCs are not, however, approved for use by UK organisations transferring personal data protected under the UK GDPR. This means that there is a real possibility that organisations will need additional data transfer agreements for the transfer of UK-protected personal data with EU-protected personal data.
The Information Commissioner’s Office (ICO) has announced it will publish a UK set of SCCs this year. At this point, we understand that the ICO is not intending to approve the EU SCCs, which could be logistically challenging for UK organisations transferring comingled personal data from the United Kingdom and Europe.
The data transfer landscape remains complex for multinationals. Organisations have a transitional period of 18 months to replace the old EU SCCs and we anticipate that the ICO will publish the UK SCCs this year. Organisations also need to complete risk assessments and the implementation of any required safeguards to protect the data on transfer notwithstanding the SCCs themselves.
 Open Rights Group v Secretary of State for the Home Department and Secretary of State for Digital, Culture, Media and Sport  EWCA Civ 800.