GDPR adequacy decision for the UK (extended)

Adoption process of the adequacy decision

On 19 February 2021, the European Commission presented two draft adequacy decisions and initiated the formal process for their adoption. In the preceding months, the Commission had carried out an in-depth investigation of the UK’s legal framework and practices regarding the protection of personal data, with a particular focus on the rules governing access to data by UK authorities. Throughout this process, the Commission maintained close dialogue with the European Data Protection Board (EDPB), which issued its opinion on 13 April, as well as with the European Parliament and the Member States.The European Data Protection Board has to issue an opinion and the Commission’s decision must be approved and adopted by Member States.

In April 2021, the EDPB commented on the Commission’s draft. In general, the EDPA welcomed the draft but required few improvements.

On 20 May 2021, the European Parliament, with a narrow majority of MEPs, also called on the Commission to make improvements and, in doing so, largely agreed with the statements of the EDPB. In particular, data transfers to other third countries based on own agreements as well as bulk access still need to be clarified more precisely.

In principle, the data protection framework in the UK is very similar to that in Europe. However, British law provides for exceptions, especially with regard to national security and immigration. With Brexit, these exceptions now also apply to EU citizens. The MEPs also advised the national data protection authorities to suspend data transfers to the UK if the requested improvements are not made.

Upon completion of the formal process, the European Commission sought approval of the adequacy decisions from the representatives of the Member States through the comitology procedure. Despite the concerns of the EDPB and the rejection by the EU Parliament, the EU Commission adopted the adequacy decision on the United Kingdom on 28 June 2021. In its press release, the Commission stated that although the United Kingdom is no longer a Member State of the EU, the legal provisions for the protection of personal data are still in place. Regarding the concerns of the EU Parliament, the Commission argues that significant safeguards are in place in case the UK’s privacy framework diverges from EU standards in the future, to protect the fundamental rights of EU citizens. These safeguards allow the EU Commission to intervene, if necessary.

Content of the adequacy decision for the UK

The adequacy decision contains the following elements:

• Despite leaving the EU, the UK’s data protection system continues to be based on EU standards, as was the case when the UK was a member state of the EU.
• With respect to access to personal data by public authorities in the UK (notably for national security reasons), the UK system provides for strong safeguards:
  • Data collection by intelligence agencies is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to the objective pursued.
  • If data subjects, companies, organisations, etc. feel that they have been subjected to unlawful surveillance, they may bring an action before the Investigatory Powers Tribunal.
  • The UK also remains subject to the jurisdiction of the European Court of Human Rights and must adhere to the European Convention on Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The latter is the only binding international convention in the field of data protection. These obligations under international law constitute essential elements of the legal framework assessed in the adequacy decision.
• The adequacy decision for the UK is also the first decision to contain a so-called “sunset clause”, which strictly limits its duration. The decision automatically expires four years after its entry into force. Renewal is only possible if the UK continues to ensure an adequate level of data protection. But even during these four years, the EU Commission may intervene at any time if the level of data protection in the UK deviates from the level of protection currently in place. If, after the four years, the Commission decides to renew the adequacy decision, the adoption process would start again.
• The criticised data transfers for immigration control practised by the UK are excluded from the material scope of the adequacy decision adopted under the GDPR. This is due to the recent decision by the Court of Appeal of England and Wales on the validity and interpretation of certain restrictions of data protection rights in this area. This decision has been taken into account in the adequacy decision. However, once the situation has been remedied under UK law, the EU Commission will reassess the need for this exclusion.

Further development

By extending the adequacy decision until 27 December 2025, the EU Commission now has sufficient time to assess the changes to UK data protection law. While this extension ensures short-term legal certainty for data transfers, the long-term renewal of the adequacy agreement remains uncertain.

Over the coming months, the Commission will assess whether the UK’s revised data protection laws continue to offer a level of protection essentially equivalent to that provided within the EU. Should the UK reforms be deemed insufficient, companies may face significant new compliance burdens, including the implementation of supplementary safeguards for data transfers.

The next phase of the evaluation will be critical in determining the future of EU–UK data flows and whether the UK can maintain its adequacy status under the General Data Protection Regulation (GDPR).