On 28 June 2021, as we predicted in our earlier alerts, the European Commission adopted two adequacy decisions for the UK, one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive (LED). The decisions are similar to earlier drafts and include a so-called “Sunset Clause” which means that adequacy will have to be reviewed in 4 year’s time.
In this article we will talk about the adequacy decision which will concern most businesses which deals with GDPR.
What’s “adequacy” all about?
Under EU GDPR so-called “Adequacy Decisions” can be made where (put very simply) the EU (via the European Commission) can decide whether a country outside the EU/EEA (a so-called “third country”) offers an adequate level of data protection. The key upshot of an Adequacy Decision is that data transfers from the EU/EEA to that particular third country can be made freely, i.e. without the need for any additional safeguard measures.
What’s the situation with the UK now that it’s out of the EU?
Because the UK is outside the EU/EEA it is now considered as a third country in data protection terms. The UK has previously had the benefit of a temporary data deal which expired at the end of June 2021. There is more on that agreement and on the temporary data deal here https://bit.ly/brextemp. The fact that the GDPR adequacy decision was formalized before the end of the temporary data deal ensures some continuity for data transfers.
What has the EU done?
The EU has decided that the UK’s data protection regime ensures an essentially equivalent level of protection to the EU’s data protection regime.
What about the EDPB?
The European Data Protection Board (EDPB) previously released opinions on the European Commission’s draft Adequacy Decisions for the UK. The opinions confirmed the EDPB’s view that the UK regime is adequate in data protection terms. You can read background to the decisions here https://www.corderycompliance.com/draft-eu-adequacy-decisions-issued-for-the-uk/. You can read our earlier alert on the EDPB’s position here https://www.corderycompliance.com/edpb-approves-uk-ddpad/.
What happens next?
The two Adequacy Decisions will run for an initial period of four years. As we have said in our previous alerts the four year period itself is quite significant – the 2019 Adequacy Decision for Japan is subject to review every two years and the ill-fated Privacy Shield scheme was subject (in theory at least) to annual review.
Could the GDPR Adequacy Decision be challenged?
Yes. There may well be challenges from privacy activist groups. Given the Schrems litigation and the successful challenges to Safe Harbor and then Privacy Shield the future of the Adequacy Decisions is not guaranteed. However it is important to remember that The European Commission has issued just 13 Adequacy Decisions in the past 26 years. Only 2 of those Adequacy Decisions, both with the US, have been struck down.
What practical steps can I take?
The Adequacy Decision is not a green light to transfer data without taking any precautions to ensure the safety of the data. Businesses should still review their data transfers and make sure they have a solution for now and an insurance policy against any challenge. Issues to be addressed include the following:
- Mapping key data flows in and out of the UK.
- Putting agreements in place to protect data transfers – even intra-company.
- Making sure the Schrems III double-due diligence test is done. You might want to start with new suppliers. You will then likely want to look at shoring up transfers to group companies and key existing providers (like global HR systems, payroll, sales management systems) which are the most critical to your operations. You can find out more about this double-due diligence test here https://bit.ly/pshielddead.
- Having a long-term strategy on data localisation. This might include changing the location of your servers for some critical data processing.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes template processes and procedures to deal with data rights requests and short films and other guidance. You can find out more about GDPR Navigator at www.bit.ly/gdprnav.
Cordery’s Brexit Impact Plan helps organisations prepare for the effects of Brexit for a fixed fee. There are details here https://www.corderycompliance.com/solutions/brexit-impact-plan/.
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/ and on Brexit related issues here https://www.corderycompliance.com/category/brexit/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|