What’s this all about?
Today the European Commission announced that it was satisfied with the UK data protection regime post-Brexit and it has issued draft “Adequacy Decisions” for the UK. The European Commission said that it had analysed the UK’s situation over the past few past months, including UK rules on access to data by public authorities and it has concluded that the UK ensures an essentially equivalent level of protection to that guaranteed under EU GDPR and under EU rules on data protection and law enforcement.
This article provides a brief summary of this important data transfers matter with some commentary on possible issues. It contains some data protection specific terms which are explained at www.bit.ly/gdprwords. There are also some FAQs on the UK data protection regime after Brexit and a short film explaining the position here https://bit.ly/brexdpfaq.
What’s “adequacy” all about?
Under EU GDPR, so-called “Adequacy Decisions” can be made where, put very simply, the EU (via the European Commission) can decide whether a country outside the EU/EEA (a so-called “third country”) offers an adequate level of data protection. The key upshot of an Adequacy Decision is that data transfers from the EU/EEA to that particular third country can be made freely, i.e. without the need for any additional safeguard measures.
What’s the situation with the UK now that it’s out of the EU?
Because the UK is outside the EU/EEA it is now considered as a third country in data protection terms.
Following the UK’s departure from the EU, as of 1 January 2021, transfers of personal data to the UK are governed by the EU-UK Trade and Cooperation Agreement (TCA). There is more on that agreement and on the temporary data deal here https://bit.ly/brextemp.
The TCA does not include an Adequacy Decision for the UK (the Adequacy Decision process being something separate) but it does provide for a so-called “bridging period” in order to ensure the continuity of data flows between the EU/EEA and the UK. This period is limited to 4 months (until 11pm UK time on 30 April 2021), which may be extended by another 2 months (until 11 pm UK time on 30 June 2021). The “bridging period” is also provided on the basis that the UK does not change its current data protection regime.
What has the EU done?
The European Commission has undertaken its analysis of the UK’s data protection regime which it has concluded ensures an essentially equivalent level of protection to the EU’s data protection regimes and accordingly has issued two draft Adequacy Decisions which will now make their way through the EU legislative pipeline.
The European Commission Vice-President for Values and Transparency, Věra Jourová, said:
“Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel. The UK has left the EU, but not the European privacy family. At the same time, we should ensure that our decision will stand the test of time. This is why we included clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development of the UK system after the adequacy would be granted.”
The European Data Protection Board (EDPB) will provide its official (non-binding) Opinion and a committee made up of representatives from EU Member States will then (hopefully) give the draft decisions the all-clear.
Although it is not officially involved in the procedure the European Parliament will no doubt be expressing its views; it should be noted that at any time, the European Parliament (and the [EU] Council) may request the European Commission to maintain, amend or withdraw an (adopted) Adequacy Decision on the grounds that its act exceeds the implementing powers provided for under EU GDPR.
Once this procedure has been completed and the two decisions adopted they are valid for an initial period of four years. After that period expires, it would seem likely that the adequacy findings would be renewed if the level of protection in the UK continues to be adequate. The four year period itself is quite significant – the 2019 Adequacy Decision for Japan is subject to review every two years and the ill-fated Privacy Shield scheme was subject (in theory at least) to annual review.
Is this in effect a done deal?
No. In EU institutional terms, there may be dissenting voices from some national data protection regulators in the EDPB and certain quarters in the European Parliament can be expected to heavily criticise if not oppose some of the European Commission’s findings. The main bone of contention is likely to be elements of section “3.3 Access and use by United Kingdom public authorities for national security purposes” (e.g. “18.104.22.168.4 Exercise of bulk powers”, “22.214.171.124.4.1 Bulk interception and bulk equipment interference” & “126.96.36.199.4.2 Bulk acquisition of communications data” & “188.8.131.52.4.3 Retention and examination of bulk personal datasets”) of the draft Adequacy Decision under EU GDPR and the conclusion that:
“(268) Finally, on the basis of the available information about the United Kingdom legal order, the Commission considers that any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to the United Kingdom by United Kingdom public authorities for public interest purposes, in particular law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.”
The draft decision is a long one stretching to 88 pages. By way of comparison the Japan Adequacy Decision was ‘only’ 58 pages long.
Could the Adequacy decision be challenged even if it is confirmed?
Yes. Further down the line there may also be challenges from privacy activist groups, as indicated in Maximillian Schrems’ comments today:
“We will take a look at the UK adequacy decision once it is out. There seems to be little doubt about adequacy of the commercial data use. At the same time there are obviously issues on UK government surveillance on EU data, which requires deeper analysis.”
The Schrems III decision (www.bit.ly/pshielddead) also confirmed in some respects the independence of data protection regulators across the EU. Some may want to make their own assessment of the UK’s adequacy, as German regulators did before the collapse of Safe Harbor and its replacement by Privacy Shield.
What practical steps can I take?
Businesses should still review their data transfers and make sure they have an interim solution for now and a plan in case no adequacy decision is confirmed or as an insurance policy against any challenge once granted. Issues to be addressed include the following:
- Mapping key data flows in and out of the UK.
- Putting agreements in place to protect data transfers – even intra-company.
- Making sure the Schrems III double-due diligence test is done. You might want to start with new suppliers. You will then likely want to look at shoring up transfers to group companies and key existing providers (like global HR systems, payroll, sales management systems) which are the most critical to your operations. You can find out more about this double-due diligence test here https://bit.ly/pshielddead.
- Having a long-term strategy on data localisation. This might include changing the location of your servers for some critical data processing.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes template processes and procedures to deal with data rights requests and short films and other guidance. You can find out more about GDPR Navigator at www.bit.ly/gdprnav.
Cordery’s Brexit Impact Plan helps organisations prepare for the effects of Brexit for a fixed fee. There are details here https://www.corderycompliance.com/solutions/brexit-impact-plan/.
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/ and on Brexit related issues here https://www.corderycompliance.com/category/brexit/.
The European Commission’s press release can be found here https://ec.europa.eu/commission/presscorner/detail/en/ip_21_661
The draft adequacy decisions can be found here https://ec.europa.eu/info/files/draft-decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en and here https://ec.europa.eu/info/files/draft-decision-adequate-protection-personal-data-united-kingdom-law-enforcement-directive_en.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|