EU Adopts Adequacy Decisions Allowing Data Flow to the UK

Personal data can continue to flow freely between Europe and the United Kingdom (UK) following an agreement by the European Union (EU) to adopt an Adequacy Decision under Article 45 of Regulation 2016/679 (the General Data Protection Regulation or GDPR) regarding the UK.

Transfers of personal data (as defined in the GDPR) to countries outside of the European Economic Area (EEA)(so-called “Third Countries”) are not, courtesy of Article 44 GDPR, permitted except where there is an Adequacy Decision, appropriate safeguards such as Standard Data Protection Clauses (issued in pre-approved form by the Commission), or Binding Corporate Rules (which must be approved by the Commission on a case-by-case basis). The Schrems II decision in July 2020 invalidated the Privacy Shield regime which previously legitimized transfers of personal data from the EEA to the USA. This has brought the other above-mentioned means of legitimate data transfers into sharp focus.

In the aftermath of Brexit, many wondered how data transfers would work between the EU and the UK, since from the effective date of the UK’s withdrawal from the EU (31 December 2020), the UK would be considered a Third Country and, therefore, subject to the Article 44 restriction.

The adoption by the European Commission of an Adequacy Decision involves:

1. A proposal from the Commission;
2. An opinion from the European Data Protection Board (which replaced the Article 29 Working Group);
3. An approval from representatives of EU member states; and
4. An adoption of the Decision by the Commission.

The purpose of this four-step process is for the Commission to assess if a Third Country provides an adequate level of data protection. The European Commission has previously issued Adequacy Decisions for Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.

Given the level of trade between the UK and the EU (approximately 50% of the UK’s imports and exports as of 2020) and the necessary corollaries in levels of transfers of personal data, ensuring that future transfers would be in compliance with GDPR requirements was high on the agenda of post-Brexit tasks. The process commenced in Feb. 2021 and was completed just four months later on 28 June 2021 when the Adequacy Decision was adopted. The previous average for an Adequacy Decision was 28 months, so the pace at which this has been completed indicates the political will and economic importance placed on the process.  The GDPR Adequacy Decision was accompanied by a simultaneous Adequacy Decision under the Law Enforcement Directive which works hand in glove with the GDPR in respect of policing and security data transfers.

The UK Adequacy Decision process will have incorporated a scrutinization of the UK’s legislative framework as well as its international commitments and the functioning of the Information Commissioner’s Office (the relevant UK Supervisory Authority for data protection). It is almost certain that the UK’s adoption of GDPR as national legislation (albeit a “frozen” version of GDPR as it stands in 2020) will have had a significantly positive impact on this assessment. As against this, the Commission will have weighed its concerns regarding the UK’s surveillance regime under the Investigatory Powers Act 2016.

The adoption of the Adequacy Decision(s) is to be welcomed by businesses involved in trade with the UK and/or dealings with UK companies to whom personal data on EU data subjects is transferred.  The adoption by the UK of GDPR does, however, carry a risk, if not a certainty, of a measure of divergence on data protection laws in the future. As this evolves, it is possible that the Commission could exercise its power to revoke the Adequacy Decisions. With this leverage comes the prospect that, in reality, the UK arguably remains subject to the ongoing development of EU data protection law.