The European Commission has published its long awaited draft adequacy decision in respect of the United Kingdom. This is the first step in the approval process for enabling the free flow of personal data from the EU/EEA to the UK, and will be welcomed by organisations that transfer personal data between the EU/EEA and the UK.

There are a number of steps to go through before the adequacy decision is adopted. In this post, we look at what the draft adequacy decision says and what needs to happen in order for it to be adopted.

Background

Upon the expiry of the post-Brexit transition period, the UK became a third country for the purposes of EU data protection. This means that transfers of personal data from the EU/EE to the UK can only take place in certain circumstances. The UK has been seeking an adequacy decision from the European Commission which would enable the free flow of personal data without the need to use Standard Contractual Clauses or other appropriate safeguards.

The adequacy assessment process commenced in Spring 2020, following the UK's departure from the the EU. During that time, the ECJ published its decision in the Schrems II case, which looked at the lawfulness of transfers of personal data to the United States. Schrems II raises a number of issues in relation to the powers of surveillance agencies in third countries, which need to be considered in any adequacy decision.

Under the EU-UK Trade & Cooperation Agreement, a transitionary period was agreed, during which transfers of personal data to the UK would not be treated as a transfer to a third country. That period runs until the end of April (extendable for a further two months), during which it was anticipated that the Commission's adequacy assessment process would be completed.

What does the draft adequacy decision say?

The Commission says that it has carefully reviewed the UK's law and practice in relation to the protection of personal data, including access by law enforcement and other public bodies. The Commission says that it considers that UK law provides an essentially equivalent level of protection under both GDPR and the Law Enforcement Directive (which deals with processing of personal data for law enforcement purposes).

Addressing Schrems II head-on, the draft adequacy decision contains extensive commentary on the UK Investigatory Powers Act and the powers of UK law enforcement agencies. The draft decision concludes that access is governed by laws that set conditions under which access can take place and ensures that access and use of data is limited to what is "necessary and proportionate" to the law enforcement or national security objective pursued.

On that basis, the Commission concludes that UK GDPR and the DPA 2018 provide an essentially equivalent level of protection, and that interference for law enforcement and national security purposes is proportionate.

However, it is also noted that the UK is no longer subject to EU data protection laws and that it is therefore possible that UK law will diverge from EU law. It is therefore proposed that the adequacy decision will be valid for an initial period of four years, at which point it will be reviewed.

What are the next steps?

The next step is for the European Data Protection Board to provide its opinion on the draft adequacy decision. While the EDPB has no power to veto a proposed adequacy decision,  its opinion will be influential. It will also provide an insight into how the EDPB will approach international transfers post-Schrems II.

Following Schrems II, the EDPB published recommendations on its so-called "Essential European Guarantees", which are intended to help data exporters determine whether data retention and surveillance laws in third countries are compatible with EU law. The Essential European Guarantees are based on the EDPB's interpretation and arguably gold plate some of the requirements of EU law. The UK adequacy decision will be the first time that the EDPB has had to put the Essential European Guarantees to the test.

Following the EDPB opinion, the decision is then subject to approval from representatives from EU member states. Once that approval is received the Commission can then adopt the adequacy decision. Under the Trade and Cooperation Agreement, that process needs to be completed by the end of June in order to ensure continuity of transfers.

For organisations that transfer personal data from the EU/EEA to the UK, and are considering their data transfers/hosting strategy, the key question is whether the Commission's decision is robust enough to withstand the inevitable challenge. Views from the the EDPB and others over the coming months will be key key to assessing that risk.

More information

You can find the draft adequacy decision on the European Commission's website.

If you would like to discuss the adequacy process or your organisation's transfers of personal data, please contact Martin Sloan or Grant Campbell.

Contributor

Martin Sloan

Partner