On 28 June 2021, the European Commission formally recognised the UK’s data protection law as adequate in relation to both the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED). This comes after almost a year of assessment and discussion between the EU and the UK. This decision allows for the free flow of personal data from the European Economic Area (EEA) to the UK and shall provide the same protection provided by the interim regime under the EU-UK Tade and Co-operation Agreement, which expired on 30 June 2021. Whilst the decision is welcome, there are some key limitations and points for businesses to consider going forward which we discuss below.
An adequacy decision is a status granted by the European Commission to countries outside the EU/EEA that demonstrate a similar level of protection in respect of personal data comparable to that provided by European Union law.
The European Commission’s 93-page report provides a detailed assessment of democracy in the UK as well as the UK’s data protection laws. Ultimately the report found that the UK regime closely mirrors that of the corresponding rules applicable within the EU. Such a decision was largely expected after the UK sought to implement equivalent EU rules in national law after leaving the EU and the European Commission’s draft adequacy decision back in February 2021.
For businesses, this is a welcome sign as it allows for the free flow of personal data and EEA based businesses will not be required to take adopt additional mechanisms when transferring data such as the adoption of Standard Contractual Clauses. Businesses can also breathe a sigh of relief given that the adequacy decision was made just two days prior to the expiry of the interim regime under the EU-UK Trade and Co-operation Agreement, meaning that no changes to current arrangements are required.
Points to consider
There are some key provisions detailed within the adequacy decision which businesses ought to be aware of going forward. Didier Reynders, Commissioner for Justice, said: “The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed”.
Therefore, whilst the adequacy decision allows for the free flow of personal data, this will be closely monitored by the European Commission. This is re-enforced by the inclusion of the ‘sunset clause’ which strictly limits the duration of the adequacy decision. The decision will automatically expire after four years and a review will need to be made at the time to determine whether the adequacy decision is renewed. However, this four-year period is not guaranteed and the adequacy decision includes provisions which allow the European Commission to suspend, repeal, or amend the decision if it considers that an adequate level of protection is provided.
Businesses should be mindful going forward that whilst the adequacy decision provides for the free flow of personal data between the EEA and the UK, this is not guaranteed and will largely depend on the UK’s approach going forward. Divergence has already been shown in areas such as immigration control in light of a recent Court of Appeal judgement (R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others  EWCA Civ 800) which ruled that the immigration exemption in paragraph 4 of Part 1 of Schedule 2 of the DPA 2018 is unlawful. This resulted in immigration control being excluded from the scope of the GDPR adequacy decision and should further divergence occur, it is likely that the adequacy decision will be amended (or repealed if needed) to reflect this.
How can we help?
We are on hand to assist clients with any queries they may have in relation to the international transfer of personal data, so please do not hesitate to contact our specialist Data Protection and Cyber Security team.
This article was co-written by Haris Saleem, Trainee Solicitor.