The European Commission has adopted an adequacy decision in relation to the transfers of personal data from the EU and EEA to the United Kingdom. The decision will be welcomed by organisations in both the EU/EEA and UK, bringing to an end a period of uncertainty over what steps would need to be adopted to enable such transfers to continue.
The decision will be particularly welcomed by UK businesses that provide services to customers in the EU/EEA, as any requirement for customers to carry out additional diligence and risk assessments and put in place Standard Contractual Clauses may have impacted on their ability to win business.
Background
EU data protection law limits transfers of personal data to third countries outside the EU/EEA. Transfers of personal data may only take place if there is a valid finding of adequacy in place for that country or territory. If there is no adequacy decision, then the transfer will only be lawful if exporter has place Appropriate Safeguards (such as the standard contractual clauses) or identified a valid derogation.
Upon leaving the EU, the UK became a third country. Under the arrangements for the post-Brexit transition period, the UK continued to be treated as part of the EU for the purposes of these rules. A further six month transitionary period was agreed under the EU-UK Trade & Cooperation Agreement. That transitionary period ends on 30 June 2021.
While GDPR was incorporated into UK domestic law under Brexit legislation, this is the first adequacy decision since the European Court of Justice's opinion in the Schrems II case. Further complications have been caused by the Court of Appeal finding that the immigration exemption in the Data Protection Act 2018 is unlawful.
You can read our summary of the draft adequacy decision here.
What does the UK adequacy decision say?
There are two adequacy decisions: one under GDPR and one under the Law Enforcement Directive (covering transfers in relation to law enforcement).
The adequacy decisions are largely in line with the February 2020 drafts:
- the adequacy decisions seek to address head on the issues raised in Schrems II.
- noting that UK law may diverge from EU law in the future and concerns in relation to onward transfers from the UK, the decisions are subject to a sunset clause, meaning that they will expire automatically in 2025.
- following the recent Court of Appeal decision in the UK, transfers for the purposes of UK immigration control are excluded from the scope of the GDPR adequacy decision.
The Commission has said it will actively monitor UK law during the four year period, with the ability to intervene if need be. Any renewal of the adequacy decisions will be subject to the satisfactory completion of a new adoption assessment.
Do we need to do anything to rely upon the new adequacy decision?
The adequacy decisions will be welcomed by organisations in both the UK and the EU/EEA, bringing to an end uncertainty over the basis on which transfers of personal data can be made after 30 June.
Transfers can be made without the need to put in place any additional contractual paperwork or carry out any additional assessments beyond what should usually be carried out when transferring personal data to a processor or another controller.
While the decisions mean that organisations will not need to put in place Standard Contractual Clauses and carry out Schrems II assessments of transfers between the EU/EEA and the UK, organisations should still ensure that they have clear and detailed records of the transfers that they make. They should also ensure that these transfers are explained in their privacy notices.
More information
You can read the adequacy decisions on the European Commission website.
If you would like to discuss the EU's adequacy decision, or any international transfers of personal data that your organisation makes, please contact Martin Sloan or Grant Campbell.
Contributors
Partner
Partner