On 14 April 2021, the European Data Protection Board ("EDPB") announced that it had adopted two Opinions on the draft UK adequacy decisions issued by the European Commission on 19 February 2021. The EDPB’s take on the draft adequacy decisions is broadly positive, and will come as welcome news to UK and EEA businesses with cross-border data flows.
In the run-up to the end of the Transition Period under the UK-EU Withdrawal Agreement on 31 December 2020, there had been doubts as to how cross-border data transfers from the EU to the UK would work, in light of the prohibition on such transfers set out in the GDPR and the Law Enforcement Directive (the "LED"). However, on 28 December 2020, the UK and the EU agreed the Trade and Cooperation Agreement, which included provisions allowing those transfers to continue temporarily, while the EU assessed whether the UK should receive an adequacy decision that would provide a more permanent solution for EU-UK data transfers. But this process has not been plain sailing.
On 5 February 2021, the LIBE Committee of the European Parliament issued its own (non-binding) Opinion, which concluded that the UK should not be granted an adequacy decision for several reasons, including perceived concerns around national security.
On 19 February 2021, the European Commission released its draft adequacy decisions, one in relation to the GDPR (which considers, among other things, the UK’s general data protection framework and the level of access that the UK Government has to personal data for law enforcement and national security purposes) and one in relation to the LED (which assesses, among other things, the UK’s standards regarding police and judicial cooperation in criminal matters).
In its announcement, the EDPB noted that there exist "key areas of strong alignment between the EU and the UK data protection frameworks". This reflects the fact that the UK’s post-Brexit implementation of the GDPR (the "UK GDPR") is largely identical to the (EU) GDPR. In particular, the EDPB highlighted common ground on "grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling".
Items for further consideration
While the EDPB’s announcement is broadly in favour of the UK being granted an adequacy decision, it has flagged a number of areas that should be assessed in greater detail by the European Commission before reaching an adequacy decision for the UK. These include:
a. the UK Data Protection Act’s "immigration exception", which essentially relieves controllers involved with immigration-related activities of certain obligations under the GDPR, to the extent complying with those obligations would prejudice the: (i) maintenance of effective immigration control; and/or (ii) the investigation or detection of activities that would undermine the maintenance of effective immigration control; and
b. the rules regarding onward transfers of personal data (i.e., personal data transferred from the EEA to the UK under an adequacy decision, and then transferred onward from the UK to a third country).
Further to the above, whilst the EDPB approved of the UK’s creation of the Investigatory Powers Tribunal and the introduction of Judicial Commissioners, it flagged the long-standing concerns around interception of communications under the UK’s Investigatory Powers Act 2016 as requiring further consideration.
What happens next?
Now that the EDPB has provided its Opinions, the European Commission will seek approval from representatives from each EU Member State. Once that process is completed, the European Commission will adopt a final decision regarding the adequacy decisions.
If adopted, the adequacy decisions would be valid for a period of four years, after which the adequacy decisions may be renewed if the UK’s data protection regime continues to be deemed adequate.
Impact on businesses
As it currently stands, and by virtue of the Trade and Cooperation Agreement, transfers of personal data from the EEA to the UK can continue unrestricted until 1 May 2021. This deadline will be automatically extended to 1 July 2021 unless either side objects. After this period, appropriate safeguards (e.g., Standard Contractual Clauses) will be needed in order to transfer personal data from the EEA to the UK, unless the draft adequacy decisions are approved.
If the decisions are approved, the UK will join the short list of non-EEA countries to which EEA personal data may flow without restriction. This would be welcome news, and offer certainty, to both UK and EEA operators of businesses with cross-border data flows.
Joe Devine (White & Case, Associate, London) and Zoe Harvey (White & Case, Trainee Solicitor, London) contributed to the development of this publication.