International data transfers – Commission adopts UK adequacy decisions just in time

On 28 June 2021, the European Commission adopted two decisions confirming the UK as an adequate jurisdiction for GDPR and Law Enforcement Directive purposes.  As the interim data transfer window under the Brexit Trade Agreement expired on 30 June, this was just in time to allow the uninterrupted free flow of personal data from the European Union to the UK.

The issue of international data transfers has long been the main area of concern from a data protection perspective regarding Brexit; particularly whether or not the UK ensures an essentially equivalent level of data protection to that guaranteed under EU legislation.

Given the importance (and value) placed on allowing data-enabled cross-border trade to continue, formal adoption of the decisions within the interim data transfer window means that organisations do not need to put in place additional transfer mechanisms to legitimise the transfer of data from the EU to the UK. This is particularly welcome given the implications of the CJEU judgement in the Schrems II case last year and the related supplementary measures referred to in the EDPB’s finalised guidance.

However, given the strong safeguards incorporated into the decisions (including the unique so-called “sunset clause” limiting the duration of the adequacy decisions and the Commission’s close monitoring of how the UK system evolves), it remains to be seen whether the UK wishes, or is indeed able, to diverge from the EU GDPR, whilst continuing to ensure an adequate level of data protection.

There will also no doubt be a nervous wait to see if there is any “Schrems-style” challenge of the adequacy decision in the short to medium term.

Key elements of the adequacy decision

The key elements of the Commission’s adequacy decision include the following:

• Based on the same rules: The UK’s data protection system continues to be based on the same rules that applied when the UK was a Member State of the EU. The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system. 
• Strong safeguards around public authority access: With respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards. In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body. Any measures need to be necessary and proportionate to what it intends to achieve. Any person who is the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal. The UK is also subject to the jurisdiction of the European Court of Human Rights and must adhere to the European Convention of Human Rights as well as the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing, which is the only binding international treaty in the area of data protection. These international commitments are essential elements of the legal framework assessed in the two adequacy decisions.
• “Sunset clause” and continual monitoring of the UK: For the first time, the adequacy decisions include a so-called “sunset clause”, which strictly limits their duration. The decisions will automatically expire four years after their entry into force (i.e. 27 June 2025). After that period, they will only be renewed if the UK continues to ensure an adequate level of data protection. The Commission has stated it will continue to monitor the legal framework in the UK and could intervene at any point if the UK deviates from the level of protection currently in place. If the Commission decides to renew the adequacy finding, the adoption process would start again.
• Exclusion of immigration control transfers: Transfers for the purpose of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR. This is said to reflect a recent judgement of the Court of Appeal of England and Wales on the validity and interpretation of certain restrictions of data protection rights in this area. However the Commission will reassess the need for this exclusion once the situation has been remedied under UK law.

Background: The path to adequacy

Following the end of the Brexit implementation period (31 December 2020) and pending conclusion of the Commission’s adequacy decision, Article FINPROV.10A (Interim provision for transmission of personal data to the UK) of the EU-UK Trade and Cooperation Agreement (the Brexit Trade Agreement) granted an interim data transfer window during which the UK was not to be treated as a “third country” for GDPR purposes for a period of four months (which was extended to six months until 30 June 2021).

On 19 February 2021 the Commission published two draft adequacy decisions and launched the process towards their adoption for the transfer of personal data to the UK.  During the process, the Commission was stated to have been in close contact with the European Data Protection Board, which gave its opinion on 13 April 2021, the European Parliament and the EU Member States.

Vera Jourova, Vice President of the European Commission for Values and Transparency, confirmed that the Commission “listened very carefully to concerns expressed by Parliament, the Member States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework…This is why we have significant safeguards and if anything changes on the UK side, we will intervene.”

Member States’ representatives approved the UK adequacy decisions as part of the so-called “comitology procedure” last week.

The Brexit Trade Agreement also includes a commitment on the EU and UK to uphold high levels of data protection standards. In particular, the agreement provides that any transfer of data to be carried out in the context of its implementation must comply with the data protection requirements of the transferring party (for the EU, the requirements of the GDPR and the Law Enforcement Directive). The Commission considers the adoption of the two adequacy decisions as a key element to “ensure the proper application and functioning of the” Brexit Trade Agreement.

The backdrop of recent regulatory activity

The Commission’s adequacy decisions come amidst a busy few weeks for international data transfers following the publication of final standard contractual clauses for both the international transfer of personal data to third countries (“Final SCCs“) and Article 28 clauses, as well as the EDPB issuing its finalised guidance on supplementary tools resulting from the Schrems II judgment from the Court of Justice of the European Union. Please refer to the links to our related blog posts above for further information on these developments.

Constraints on the UK path ahead?

Since leaving the EU, there have been suggestions that the UK may pursue a more relaxed, business-minded approach to data. In particular, the DCMS’ recent National Data Strategy sought to pave the way for harnessing and “unlocking the value” of data across the economy in order to enhance innovation and growth.

In reality such an approach will, however, need to be carefully balanced against the UK’s position on data vis-à-vis the EU, particularly to ensure that any divergence from EU legislation is seen as sufficiently protective if the UK is to continue to benefit from the adequacy decisions.

Regarding the UK’s approach to the Final SCCs, for example, the ICO has previously emphasised that international data transfers would need to account for the impact of the Schrems II decision. In its response to the UK’s National Data Strategy, the ICO also highlighted the importance of building on the rights, principles, and protections of data which are currently in place. Therefore, a novel approach or substantial deviation from the EU’s approach (be that the current SCCs or Final SCCs) seems unlikely. With respect to SCCs, in particular, we understand that the UK is likely to publish its own SCCs in the next month and there will also be a wait to see if the UK approves the EU Final SCCs.

Unlike adequacy decisions before it, given the unique position of the UK as an ex-EU Member State, the UK’s National Data Strategy and the ongoing scrutiny of the UK legislative framework by the Commission, the spotlight will remain on the UK as it starts to develop its own data protection framework. It also seems unlikely that the UK adequacy decisions will simply be re-adopted in 4 years’ time without careful consideration.

Indeed, given the misgivings voiced by a variety of stakeholders as part of the adoption process, there is also still the possibility of the adequacy decisions being challenged in a “Schrems-style” action.