Logan Finucan, Access Partnership, explains how the European Commission has launched the process towards the adoption of two adequacy decisions for personal dataflows to the UK
These two adequacy decisions are:
- An implementing decision within the framework of General Data Protection Regulation (GDPR) and;
- A second implementing decision within the framework of Law Enforcement Directive.
The UK welcomed the announcement and invited the Commission to finalise the “technical process swiftly”, reminding the Commission that the UK data protection regime is “currently the same as the European Union’s”.
The decision resolves one of the most significant outstanding issues from the EU-UK Trade and Cooperation Agreement: without an adequacy decision, personal data transfers from the EU to the UK would be significantly disrupted. Without this temporary bridging mechanism, after 30 June 2021, cross-border operations for many businesses would be impossible.
Next, the European Data Protection Board (EDPB) will issue a non-binding opinion on the decision, and EU Member States will ultimately sanction its approval. Once approved, the final adequacy decision will be binding for all Member States, including independent supervisory authorities.
UK Data-Protection Findings
The adequacy decision under the GDPR (Regulation (EU) 2016/679) is the result of the Commission’s examination of the UK legal regime, including rules applicable to data importers and the limitations and safeguards on access to personal data by public authorities. On this basis, the Commission has concluded that both the UK GDPR and the Data Protection Act 2018 guarantee an adequate level of protection of personal data in line with EU standards. The UK data-protection system is also deemed adequate on aspects pertaining to enforcement and institutional oversight.
Safeguards: Restrictions on Onward Transfers
For transfers of EU personal data from the UK to third countries, the draft decision puts the responsibility on the UK to require that third countries be deemed adequate according to GDPR standards. This requirement may significantly impact UK efforts to strike bilateral trade agreements, including potentially joining the 11-country Asia-Pacific free trade pact, Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).
Safeguards: Access by Public Authorities
Transfers of EU personal data to the UK for public interest purposes, notably law enforcement and national security purposes, have been limited to “what is strictly necessary” and legitimate. This safeguard mirrors recent EU concerns relating to the UK acting as a backdoor for personal data to be transferred to US national agencies, the US lacking an adequacy regime with the EU in light of the Schrems II decision.
The adequacy decision will apply for a period of four years after its entering into force. However, now that the UK is free of EU data protection rules, the two regimes may diverge over time. Therefore, the Commission’s review over the coming years will be critical. The Commission will monitor UK data-protection developments on an ongoing basis and will invite UK data-protection authorities to provide information on any updates or amendments to British law. This is especially relevant in wake of the UK pursuing unilateral legislative acts to further strengthen its own national data-protection regime.
Impact on Businesses
Adequacy remains one of the most significant unresolved issues in the EU-UK Trade and Cooperation Agreement. Provided the draft decisions are adopted without significant changes, business operations will be able to continue as usual.
In the long run, the UK and EU data protection regimes could evolve in different directions. Businesses will need to remain attentive and engaged to protect their interests and inform public policymaking.
Strict disciplines remain in place regarding onward transfers of EU data to third countries. Therefore, the UK’s efforts to improve data flows to other countries may have a minimal impact on businesses with tightly integrated UK-EU data operations seeking to move data to other jurisdictions. A case-by-case study may be necessary unless the third country is considered adequate by both parties.