Adequacy decisions are the easiest way to transfer personal data out of the EU. Once the European Commission has determined the level of protection in a country or region is essentially equivalent to European standards, data can flow freely without any prior authorizations or specific contractual requirements.
In the case of the United Kingdom, almost five years from when the Brexit vote took place, the questions around UK adequacy have been laid to rest. In June 2021, the European Commission adopted a pair of adequacy decisions for the UK to remedy this. What are those adequacy decisions? How do they impact organisations operating in the UK? and EU citizens? Why are there some concerns about those adequacy decisions at the moment?
What are adequacy decisions for the UK?
In June 2021, just in time for the final Brexit transition period to end, the European Commission has adopted two adequacy decisions for the United Kingdom – one covering the GDPR and another for the Law Enforcement Directive (LED).
- Under the GDPR, the adequacy decision is relevant for anybody in the commercial sector and government authorities to facilitate smooth trade between the UK and the European Union.
- Under the LED, the adequacy decision is in place to keep police and judicial cooperation between the EU and the UK and thus, effectively fighting against crime.
What are the key components of those adequacy decisions?
Below you can find listed critical elements forming the basis of the adequacy decisions.
- The UK’s data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. In addition, the UK has fully incorporated the GDPR and the LED in its legal system.
- The European Commission found that the UK’s data protection system adhered to the same rules applicable when an EU member state. It had “fully incorporated” the principles, rights, and obligations of the GDPR and Law Enforcement Directive into its post-Brexit legal system.
- The UK system provides for solid safeguards to access personal data by public authorities in the country. There are remedies in place if, for example, a person suspects they have been subject to unlawful surveillance. They can complain with the Investigatory Powers Tribunal and seek redress.
- The UK is also subject to the European Court of Human Rights. It will have to adhere to the European Convention of Human Rights and the Council of Europe Convention for the Protection of Individuals concerning Automatic Processing of Personal Data.
- Both adequacy decisions include a ‘sunset clause’, which means they will last for a limited period of four years after entering into force, which is until 2025. During these four years, the Commission will monitor the legal situation in the UK. It could intervene at any time if the UK deviates from the current level of data protection. After this period, adequacy findings may be reviewed and renewed if the UK continues to ensure the equivalent level of data protection as the EU.
To learn more about the recent adequacy decisions by the European Commission, download the TrustArc whitepaper: A Shifting Landscape: Making Sense of the New SCCs, Adequacy and More
What does it mean for organisations operating in the UK? And EU citizens?
The EU has the highest standards when it comes to personal data protection. When personal data is transferred abroad, EU citizens should benefit from the same level of data protection. In this context, Didier Reynders, Commissioner for Justice at the European Commission, said:
“After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK.”
Indeed, personal data can continue to flow freely and without restriction from the European Union to the United Kingdom, benefiting from an essentially equivalent level of protection. It will not need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection. The adequacy decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information.
There are still some concerns.
A big concern is, however, are the extensive government surveillance laws in the UK. While in the EU, these could not be assessed since national security is out of scope for the EU, but these UK laws suddenly do become relevant as a third country.
Furthermore, there is concern around the UK adequacy decisions as the UK has announced the need for more flexibility with their data protection rules. This flexibility is meant to encourage investments in the UK, resulting in more business. The extent to which the UK legislation may deviate in the future is unknown, but more leeway is expected for companies to re-use data. Also, cookie rules will likely change. For this reason, the EU Commission has set these adequacy decisions with a sunset clause. A sunset clause in this particular situation means that the adequacy decisions will automatically expire in four years, at which point the EU will actively review the UK legal framework. If it’s still considered as essentially equivalent, then the EU will propose to extend the adequacy. However, should the UK rules indeed deviate from the GDPR during the four years, the EU Commission is allowed to initiate an earlier review and suspend, or even repeal, the adequacy decision.
The EU and UK have avoided interruptions to their data transfers, which should be a relief to data exporters based in the EU who otherwise would have needed to implement complex data transfer mechanisms, such as standard contractual clauses. But whether courts will challenge the UK’s data adequacy status is still uncertain.
For the latest guidance and information for companies navigating international transfers, click here. Our transfer risk assessment templates help identify and mitigate your international risk, learn more here.