European Commission adopts UK Adequacy Decision

Today, the European Commission has adopted two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation (“GDPR”) and the other for the Law Enforcement Directive (“LED”).

The GDPR and LED impose restrictions on the transfer of personal data to a ‘third country’ unless that country benefits from (i) an adequacy decision; (ii) appropriate safeguards (e.g. standard contractual clauses (SCCs)); or (iii) one of the limited exceptions under Article 49 GDPR.

The UK adequacy decisions have been adopted just in time – the six month ‘bridging period’ agreed under the UK – EU Trade and Cooperation Agreement, allowing personal data to be transferred from the EU to the UK without the need for any additional safeguards, expires on 30 June 2021. The adopted adequacy decision will allow personal data to continue to flow to the UK from the EU.

Key points to note

  • Although the European Data Protection Board previously raised concerns about the UK surveillance regime, the European Commission has confirmed that the UK “provides for strong safeguards” in relation to access to personal data by public authorities for national security reasons. This will be welcomed by the UK Government.
  • The decisions come with some important qualifications:

    • The European Commission will closely monitor any divergence in UK data protection laws and policies from those in the EU, particularly in relation to onward transfers of personal data and UK decisions on third country adequacy (no other country assessment is subject this level of review).

    • The European Commission is able to “intervene” at any point, if it decides that the UK has deviated from the level of protection for personal data currently in place.
    • The European Commission has made clear it will only renew UK adequacy in the future if the UK continues to ensure an adequate level of data protection, with a formal decision point after four years – as the adequacy decisions include a ‘sunset clause’, meaning that they will automatically expire after four years unless renewed. This is quite a different process from prior adequacy decisions, which typically renew by default without any need (as now required for the UK) to go through a new review and adoption process.
    • Transfers relating to UK immigration control are excluded from the scope of the decisions. This follows concerns in a recent UK Court of Appeal judgment on the validity and interpretation of the ‘immigration exemption’ set out in Schedule 2 to the Data Protection Act 2018. The European Commission has stated that it will “reassess the need for this exclusion once the situation has been remedied under UK law”.

The adoption of the adequacy decisions is the final piece of the Brexit puzzle. With these approvals now in place, we can expect to see more clarity from the UK Government on their vision for a post-Brexit data protection regulatory landscape. There is certainly much to look out for, with a need to address important issues such as the UK’s approach to Standard Contractual Clauses, ‘Schrems’ Transfer Impact Assessments and third country adequacy. There is also great interest in the UK’s wider policy ambitions for a reformed data protection landscape.

To help navigate the post-Brexit regulatory position, download our updated GDPR app. The app now includes both EU and UK versions of the GDPR. For more information, visit our GDPR App webpage.

For further information, please get in touch with your usual DLA Piper contact.