Draft UK Adequacy Decisions – Things are looking up for EU-UK data transfers

The EU Commission’s draft opinion favours recognising UK as an adequate jurisdiction for data transfers, pathing the way for easier transfers of data from the EEA to the UK.

Draft UK Adequacy Decision

On Friday 19^th February, the European Commission (the “Commission”) issued two highly anticipated draft adequacy decisions, which together concluded that the UK offers an equivalent level of personal data protection as that provided to the European Union, pursuant to Article 45 of the GDPR.

For the first time, the Commission released two draft adequacy decisions;  one under the EU General Data Protection Regulation and another under the Law Enforcement Directive. The decisions, once adopted, will replace the current interim or “bridging” solution, agreed under the EU-UK Trade and Cooperation Agreement, which currently allows for organisations to transfer personal data from the EU to the UK up until 30 June 2021.

Impact for EU-UK Data Transfers

The adequacy decision will be warmly welcomed both by organisations within the UK, as well as those operating globally, who regularly transfer data from the EEA to the UK. Many of these organisations have been operating with uncertainty and hurrying to implement alternative data mechanisms to safeguard their EU data without interrupting EU to UK data flows.

In light of the Schrems II decision, the fear that the UK would be considered an inadequate third country after the expiry of the bridging solution saw many organisations facing the significant cost and administration associated with either migrating their EEA  data out of the UK to an adequate jurisdiction, or the implementation of additional data transfer assessments required in combination with the adoption of standard contractual clauses (“SCCs”) as an alternative data transfer mechanism.

Basis for Draft UK Adequacy Decision

The common consideration across both decisions were the similarities between the EU GDPR and both the UK GDPR and the Data Protection Act 2018, given that both UK data protection instruments are based on retained EU legislation. As such, the data protection rules in the United Kingdom in many aspects closely mirror the corresponding rules applicable within the European Union.[1] The press release differentiates the UK from ‘other non-EU countries where convergence is developed through the adequacy process between often divergent systems’ noting that ‘EU law has shaped the UK’s data protection regime for decades.’[2]

Another relevant factor is the UK’s commitment to the European Convention of Human Rights and to “Convention 108” of the Council of Europe. It was noted that this means that, even though it has left the EU, the UK remains a member of the European “privacy family”. ‘Continued adherence to such international conventions is of particular importance for the stability and durability of the proposed adequacy findings.’[3]

Whilst these similarities may provide essential equivalency in a commercial sense, it is likely that the UK government surveillance powers considered in the adequacy decisions will face additional scrutiny. In response to the draft decisions, Max Schrems, whose challenges famously brought down the EU-US Safe Harbor Agreement and the EU-US Privacy Shield, wrote:

“As many asked about it: We will take a look at the UK adequacy decision once it is out. There seems to be little doubt about adequacy of the commercial data use. At the same time there are obviously issues on UK government surveillance on EU data, which requires deeper analysis.[4]”

Furthermore, the approval of the adequacy decisions will not see a return to pre-Brexit business as usual. Although the UK may be considered an adequate jurisdiction, it still remains a non-EU jurisdiction and any organisation carrying on business within the EU who continues to transfer EU data to the UK will need to ensure that this is managed correctly. This may include complying with the requirement to engage an EU and a UK representative (if there’s no presence in those jurisdictions), ensuring transparency with regard to reliance upon this adequacy decision in Privacy Notices and ensuring that commercial contracts reflect the same, as well as provide for any discrepancies between the EU GDPR and the UK GDPR.

What’s next?

The Commission will now share the draft decisions with the European Data Protection Board for a ‘non-binding opinion’ before it is put forward to EU member states to formally approve. In order for the Commission’s adequacy decision to become final, a committee of representatives of EU Member States must first issue a positive decision.

Additionally, and in line with the GDPR, the adequacy finding will be re-examined every four years to ensure the UK rules continue to offer the adequate level of protection required by Article 45(3).

Further references

UK government welcomes the European Commission’s draft data adequacy decisions

European Commission press release on draft UK adequacy decision

How the EU determines if a non-EU country has an adequate level of data protection

Draft SCC’s and Supplementary Measures

[1] Draft Commission Implementing Decision pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom at 15

[2] Data protection: draft UK adequacy decision (europa.eu)

[3] Data protection: draft UK adequacy decision (europa.eu)

[4]https://twitter.com/maxschrems/status/1362715631653711872?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1362715631653711872%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fiapp.org%2Fnews%2Fa%2Feuropean-commission-releases-draft-uk-adequacy-decisions%2F

Privacy 108

At Privacy 108, we are passionate about privacy and data protection. We work with organisations to ensure they collect, use and secure all information in a way that is both compliant and meets community expectations. Privacy 108 is a law firm. Our team of lawyers can provide specialist legal advice on privacy and security issues.