Following Brexit, the United Kingdom became a third country under the EU General Data Protection Regulation (GDPR). As a result, transfers of personal data from the EU to the UK are allowed only if the level of data protection in the UK is equivalent to that of the EU. The European Commission confirmed the level of data protection with an adequacy decision under the GDPR. But whether courts will challenge the UK’s data adequacy status is still uncertain.
Update, 31 August 2021: As we expected, the first issues on the adequacy decision with the UK are emerging. On 26 August 2021, the UK government issued a press release announcing a major legal change in data protection. The UK government intends to replace the provisions of the GDPR, which have so far been adopted into national law, by the UK’s own provisions. Fundamental changes will be made regarding the necessity of cookie banners and international data transfers. The draft Act is expected to be published in the course of September. After its publication, the draft Act will be examined by the EU Commission and its compatibility with European data protection law will be scrutinised. If compatibility is not given, the suspension or termination of the adequacy decision is to be expected. This would again make data transfers to the UK significantly more difficult.
Our advice therefore remains to be aware of your own data flows to the UK in order to be able to switch to other safeguards for third country transfers, such as Standard Contractual Clauses, if necessary, and to keep up to date on this topic.
Adoption process of the adequacy decision
On 19 February 2021, the European Commission launched the process towards the adoption of an adequacy decision for transfers of personal data to the United Kingdom. In addition, the Commission provided information on the next steps and published a draft adequacy decision.
The European Data Protection Board has to issue an opinion and the Commission’s decision must be approved and adopted by Member States.
In April, the EDSA commented on the Commission’s draft. In general, the EDSA welcomed the draft but required few improvements.
On 20 May 2021, the European Parliament, with a narrow majority of MEPs, also called on the Commission to make improvements and, in doing so, largely agrees with the statements of the EDSA. In particular, data transfers to other third countries based on own agreements as well as bulk access still need to be clarified more precisely. In principle, the data protection framework in the UK is very similar to that in Europe. However, British law provides for exceptions, especially with regard to national security and immigration. With Brexit, these exceptions now also apply to EU citizens. The MEPs also advised the national data protection authorities to suspend data transfers to the UK if the requested improvements are not made.
Despite the concerns of the EDSA and the rejection by the EU Parliament, the EU Commission adopted the adequacy decision on the United Kingdom on 28 June 2021. In its press release, the Commission states that although the United Kingdom is no longer a Member State of the EU, the legal provisions for the protection of personal data are still in place. Regarding the concerns of the EU Parliament, the Commission argues that significant safeguards are in place in case the UK’s privacy framework diverges from EU standards in the future, to protect the fundamental rights of EU citizens. These safeguards allow the EU Commission to intervene, if necessary.
Content of the adequacy decision
The adequacy decision contains the following elements:
- Despite leaving the EU, the UK’s data protection system continues to be based on EU standards, as was the case when the UK was a member state of the EU.
- With respect to access to personal data by public authorities in the UK (notably for national security reasons), the UK system provides for strong safeguards:
- Data collection by intelligence agencies is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to the objective pursued.
- If data subjects, companies, organisations, etc. feel that they have been subjected to unlawful surveillance, they may bring an action before the Investigatory Powers Tribunal.
- The UK also remains subject to the jurisdiction of the European Court of Human Rights and must adhere to the European Convention on Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The latter is the only binding international convention in the field of data protection. These obligations under international law constitute essential elements of the legal framework assessed in the adequacy decision.
- The adequacy decision for the UK is also the first decision to contain a so-called “sunset clause”, which strictly limits its duration. The decision automatically expires four years after its entry into force. Renewal is only possible if the UK continues to ensure an adequate level of data protection. But even during these four years, the EU Commission may intervene at any time if the level of data protection in the UK deviates from the level of protection currently in place. If, after the four years, the Commission decides to renew the adequacy decision, the adoption process would start again.
- The criticised data transfers for immigration control practised by the UK are excluded from the material scope of the adequacy decision adopted under the GDPR. This is due to the recent decision by the Court of Appeal of England and Wales on the validity and interpretation of certain restrictions of data protection rights in this area. This decision has been taken into account in the adequacy decision. However, once the situation has been remedied under UK law, the EU Commission will reassess the need for this exclusion.
The development is to be welcomed, but the European Court of Justice (ECJ) “Schrems II” decision of July 2020 may impact the outcome. The decision could be called into question and courts may challenge the UK’s data adequacy status in the future.
The ECJ confirmed that the indiscriminate access to and retention of traffic and location data by UK intelligence services was unlawful (judgment on 6 October 2020, C-623/17). Although the EU commission has now adopted an adequacy decision for the UK, it could still be subsequently overturned by the ECJ.
The decision comes at the very last minute. We recall that the transition period expired on 30 June 2021. However, due to the decision, the flow of data will not be affected and the free flow of data with the UK will continue unrestricted for the time being.