Cordery

Legal.Compliance.

Client Alert: EDPB approves UK Draft Data Protection Adequacy Decisions

What’s this all about?

Today the European Data Protection Board (EDPB) released opinions on the European Commission’s draft Adequacy Decisions for the UK. The opinions confirm the EDPB’s view that the UK regime is adequate in data protection terms. You can read background to the decisions here https://www.corderycompliance.com/draft-eu-adequacy-decisions-issued-for-the-uk/. This note contains some data protection specific terms which are explained at www.bit.ly/gdprwords. There are also some FAQs on the UK data protection regime after Brexit and a short film explaining the position here https://bit.ly/brexdpfaq.

What’s “adequacy” all about?

Under EU GDPR, so-called “Adequacy Decisions” can be made where (put very simply) the EU (via the European Commission) can decide whether a country outside the EU/EEA (a so-called “third country”) offers an adequate level of data protection. The key upshot of an Adequacy Decision is that data transfers from the EU/EEA to that particular third country can be made freely, i.e. without the need for any additional safeguard measures.

What’s the situation with the UK now that it’s out of the EU?

Because the UK is outside the EU/EEA it is now considered as a third country in data protection terms.  The UK currently has the benefit of a temporary data deal which will expire at the end of this month unless renewed.  This is part of the EU-UK Trade and Cooperation Agreement (TCA).  There is more on that agreement and on the temporary data deal here https://bit.ly/brextemp.

What has the EU done?

The European Commission has undertaken its analysis of the UK’s data protection regime which it has concluded ensures an essentially equivalent level of protection to the EU’s data protection regime and issued two draft Adequacy Decisions in February 2021.

What did the EDPB decide?

The EDPB has looked at the draft adequacy decisions and, with some qualifications, issued a non-binding opinion recommending their acceptance.

There are two opinions since there are two draft Adequacy Decisions, one dealing with law enforcement and national security and the second dealing with more general data protection and data transfer matters.

The EDPB says that there are key areas of “strong alignment” between the EU and the UK data protection frameworks including on: grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling.

But it is not an unqualified blessing.  The EDPB highlights a number of areas requiring further assessment and monitoring including:

  1. The UK exception for immigration data
  2. Onward transfers
  3. The role and powers of the security services

What happens next?

The baton now passes to a committee made up of representatives from EU Member States.  Although it is not officially involved in the procedure the European Parliament will no doubt be expressing its views.

If adopted it is proposed that the two adequacy decisions will run for an initial period of four years. As we have said in our previous alert the four year period itself is quite significant – the 2019 Adequacy Decision for Japan is subject to review every two years and the ill-fated Privacy Shield scheme was subject (in theory at least) to annual review.

Is this in effect a done deal?

Not yet although the EDPB report seems to be one more significant hurdle cleared.

Could the Adequacy decision be challenged even if it is confirmed?

Yes.  Further down the line there may also be challenges from privacy activist groups.  Given the Schrems litigation and the successful challenges to Safe Harbor and then Privacy Shield the future of any adequacy decisions is not guaranteed.

What practical steps can I take?

Businesses should still review their data transfers and make sure they have an interim solution for now and a plan in case no adequacy decision is confirmed or as an insurance policy against any challenge once granted.  Issues to be addressed include the following:

  1. Mapping key data flows in and out of the UK.
  2. Putting agreements in place to protect data transfers – even intra-company.
  3. Making sure the Schrems III double-due diligence test is done. You might want to start with new suppliers. You will then likely want to look at shoring up transfers to group companies and key existing providers (like global HR systems, payroll, sales management systems) which are the most critical to your operations. You can find out more about this double-due diligence test here https://bit.ly/pshielddead.
  4. Having a long-term strategy on data localisation. This might include changing the location of your servers for some critical data processing.
  5. Updating your privacy policy and being transparent with your employees and customers about data transfers.

More information

Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes template processes and procedures to deal with data rights requests and short films and other guidance. You can find out more about GDPR Navigator at www.bit.ly/gdprnav.

Cordery’s Brexit Impact Plan helps organisations prepare for the effects of Brexit for a fixed fee. There are details here https://www.corderycompliance.com/solutions/brexit-impact-plan/.

We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/ and on Brexit related issues here https://www.corderycompliance.com/category/brexit/.

The European Commission’s press release can be found here https://ec.europa.eu/commission/presscorner/detail/en/ip_21_661

The draft adequacy decisions can be found here https://ec.europa.eu/info/files/draft-decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en and here https://ec.europa.eu/info/files/draft-decision-adequate-protection-personal-data-united-kingdom-law-enforcement-directive_en.

For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.