On 28 June 2021, the European Commission announced it has approved two adequacy decisions for the United Kingdom (UK). With these decisions, one under the General Data Protection Regulations (GDPR) and one under the European law enforcement directive, the Commission confirms the UK offers a level of data protection that is essentially equivalent to that in the European Union (EU). With this hurdle out of the way, personal data can continue to flow freely from the EU to the UK, without the need for additional safeguards or regulator approval. The free flow of data in the other direction, from the UK to the EU, had already been confirmed by the British government at the time the UK ceased being a member of the EU.
The decisions came with little time to spare, since the Brexit transition arrangement for data protection was only in place until 30 June 2021. Organizations can now rely upon the adequacy decisions immediately – there is no transition period required. However, it is also clear that there are still concerns in Europe about the level of protection in the UK going forward, because the Commission included a sunset clause in the adequacy decisions. The decisions expire in four years, unless explicitly extended.
The main concerns are twofold. First of all, the UK government has indicated several times already that they are pursuing an aggressive economic agenda in order to welcome foreign investments. This may also have an effect on the country’s data protection laws, as is clearly indicated in a report commissioned by the UK government. It is suggested a new data protection law should become more flexible, less onerous to work with and contain fewer compliance obligations, and give more room for the use of artificial intelligence in a variety of sectors. Critics have stated the report misrepresents the GDPR as a primarily consent-based framework and includes other wrong assumptions about Europe’s data protection law, but that is unlikely to impact the UK government plans. The European Commission has however made clear they are monitoring the data protection legislation and practices of the UK, including with regard to onward transfers from European data to non-EEA countries (e.g. the U.S.), and may decide to repeal the adequacy decision if real divergence is noted. The Norwegian DPA announced they see this provision as a real risk that the adequacy decisions will not remain valid until 2025.
The second concern related to the UK adequacy decisions is the scope of the UK government access and surveillance laws. These have in principle been addressed in the adequacy decisions, but both the European Parliament and the European Data Protection Board (EDPB), have raised numerous questions about the intrusive nature of the UK’s surveillance laws. Clearly the Belgacom hack by the UK security services has not yet been forgotten. Bearing in mind the close cooperation between the American and British services, some are surprised that the UK’s legislation has received the sign off from the European Commission, less than a year after the decision of the Court of Justice to strike the Privacy Shield off the books. It is no secret that several civil rights non-profits are considering possible legal challenges to the Commission decision.
Review your GDPR dataflows that involve the UK
Identify any processing activities that involve GDPR personal data being transferred to the UK, even indirectly. UK processors may reach out to their respective controllers or upstream processors to revise current agreements in place. Even though an adequacy decision generally means data can flow freely, organizations should note that the situation – once again – may change overnight, especially if the Court of Justice of the European Union is asked for a decision. A potential divergence of British laws from the EU’s expectations will be easier to predict. TrustArc will continue to monitor the legal situation in the UK and provide updates to our customers via Nymity Research. There are few alternatives available, especially given that the new Standard Contractual Clauses for International Transfers, as adopted by the European Commission, cannot be used if a processing operation is directly subject to the GDPR.
Keep in mind that the UK has announced its intention to adopt its own new standard contractual clauses modeled after the recently adopted ones in the EU. Should this occur, we will provide more information.
Appoint representatives as required
Now that the UK no longer forms a part of the EU, organisations should pay particular attention to the requirements under Article 27 of both the EU GDPR and the UK GDPR. These provisions require the appointment of an official representative, if the organisation has no physical establishment in the EU or the UK respectively. So for example, a U.S. organisation that has a subsidiary in the UK, is now required to appoint an EU representative. An EU company doing business in the UK without a local establishment, will in turn have to appoint a UK representative. And a Chinese company without any European base, that has been able to rely on their EU representative, will now need to add a UK representative as well.
For latest guidance and information for companies navigating international transfers, click here.