Why is UK adequacy relevant for the UK post-Brexit?
As the Data Protection Directive (95/46/EC) did 20 years earlier, the EU General Data Protection Regulation (2016/679) (EU GDPR) sets a severe restriction in the context of today’s increasingly interconnected and digitally borderless world. Transfers of personal data to a so-called “third country”, that is any country outside the European Economic Area (EEA), are only allowed subject to certain conditions, namely:
- The third country ensures an adequate level of protection for the personal data as determined by the European Commission (EC);
- In the absence of that adequate level of protection, the provision of appropriate safeguards (like Standard Contractual Clauses or Binding Corporate Rules (BCRs)); or
- In the absence of the foregoing, the international transfer of personal data fits within one of the derogations for specific situations covered by the EU GDPR.
With the UK having become a “third country” following Brexit, data flows from the EU to the UK will only be permitted if one of these conditions is met. The most advantageous position for the UK would be that the EC deems it as providing an “essentially equivalent” level of data protection to that of the EU. While this is a serious concern, it is not an immediate one as transfers of personal data from the EU to the UK are still legally allowed during the “bridging period” agreed under the EU-UK Trade and Cooperation Agreement, which ends, at the latest, on 30 June 2021. During this time, the UK will not be treated as a third country for the purposes of personal data transfers from the EU (see Practice note, Brexit: implications for data protection: Trade and Co-operation agreement and UK-EU adequacy decision).
In other words, the EC has a timeframe of now less than four months to decide whether the UK is to be regarded as an adequate jurisdiction for transfers of personal data from the EU. If this is the case, the status quo will remain and the free flow of personal data from the EU to the UK will continue after the end of the “bridging period”.
On 19 February, the EC took key steps towards UK adequacy and published the draft of the adequacy decision for transfers of personal data to the UK under the EU GDPR (Draft Adequacy Decision). Although no final decision has been made and the UK adequacy approval procedure is still underway, the significance of the Draft Adequacy Decision cannot be underestimated (see Legal update, Draft GDPR and LED adequacy decisions start EC process on personal data flows from EU to UK).
What are the adequacy criteria?
In order to determine whether the UK ensures an “essentially equivalent” level of protection to that afforded in the EU, the Draft Adequacy Decision covers a detailed analysis of the UK data protection legal framework and the rules applicable to government access to personal data. This is based on the adequacy criteria set out under Article 45(2) of the EU GDPR, namely:
- an analysis of the legislation, both general and sectoral, in the third country (mainly, the UK GDPR and the DPA 2018 in the UK);
- the existence and effective functioning of one or more independent supervisory authorities (in the UK, that is Information Commissioner’s Office); and
- the international commitments the third country has entered into (which in the UK are the European Convention of Human Rights (ECHR) and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108)).
Analysis of UK data protection legal framework
The adequacy analysis of the UK data protection legal framework is essentially a comparison between the EU and the UK frameworks. Throughout the comparison exercise, the Draft Adequacy Decision consistently takes the view that the UK data protection legal framework closely mirrors the one in the EU. There is one area which the EC looks into very carefully: the restriction to individual rights and other provisions under the immigration exemption and for the purpose of safeguarding national security or for defence purposes. However, given that the exemptions are subject to a number of strict conditions and can only be invoked on a case-by-case basis, the EC takes the view that they are unlikely to compromise the level of protection afforded in the UK.
Analysis of UK government access regime
The Draft Adequacy Decision devotes 53 pages to analysing the UK legal framework governing the potential access and use by UK public authorities of personal data transferred from the EU (UK government access regime), and assessing whether this framework meets the standard required under the EU GDPR and relevant Court of Justice of the European Union (CJEU) case-law.
The EC concludes that the UK government access regime meets the identified criteria and therefore satisfies the standard required under the EU GDPR and relevant CJEU case-law.
As a side-note, the Draft Adequacy Decision may prove a helpful precedent for organisations that, following the Schrems II decision, are required to make their own assessments of local laws relating to access by public authorities before transferring personal data outside the EEA.
Is there a risk of the Draft Adequacy Decision being challenged?
The Draft Adequacy Decision is long, dense, and very detailed. The EC emphasises that the UK, being a former EU Member State, has been complying with the EU legal framework, standards and legal culture for many years. This is reflected in the UK’s current legal framework, and helps to ensure an equivalent level of protection for personal data. In addition, its focus on the UK government access regime seems designed to pre-empt any concerns that could be raised in light of the Schrems II, Privacy International and La Quadrature du Net decisions (see Practice note, Brexit: implications for data protection: International data transfers following the transition period).
All these elements give reason to be optimistic that the Draft Adequacy Decision for the UK will be finally adopted, satisfying expectations of businesses within both the UK and the EU. Having said this, the Draft Adequacy Decision must now be scrutinised by Member States and the European Data Protection Board (EDPB). It is also likely to be reviewed by other interested parties.
Given that the EC places particular emphasis on the UK’s adherence to international instruments, another factor that may compromise an adequacy finding could result from any attempt by the UK Government to make any changes to deviate from international instruments regarding the protection of personal data (namely, the ECHR and Convention 108) and its submission to the jurisdiction of the ECtHR.
For the EC to adopt a final adequacy decision, two additional steps are now required: (i) a non-binding assessment by the EDPB and (ii) an endorsement by a committee of representatives of EU Member States. No timeline has been provided so far for such opinions, but there will be significant pressure for the adequacy decision to be adopted before the end of the “bridging period” on June 30, 2021. Once finalised, the compliance by the UK with the adequacy finding will be subject to continuous monitoring, but subject to this, the UK adequacy decision is likely to be effective for a period of four years from its entry into force, and may be extended for a further four years.