Following Brexit, the United Kingdom became a third country under the EU General Data Protection Regulation (GDPR). As a result, transfers of personal data from the EU to the UK are allowed only if the level of data protection in the UK is equivalent to that of the EU. The European Commission can confirm the level of data protection with an adequacy decision under the GDPR. But whether this will happen in time for the UK and whether courts will challenge the UK’s data adequacy status is still uncertain.
Draft adequacy decision
On 19 February 2021, the European Commission launched the process towards the adoption of an adequacy decision for transfers of personal data to the United Kingdom. In addition, the Commission provided information on the next steps and published a draft adequacy decision. The European Data Protection Board will issue an opinion next and the Commission’s decision must be approved and adopted by Member States.
Rejection by the EU Parliament
In April, the EDSA commented on the Commission’s draft. In general, the EDSA welcomed the draft, but required few improvements.
On 20 May 2021, the European Parliament, with a narrow majority of MEPs, also called on the Commission to make improvements and, in doing so, largely agrees with the statements of the EDSA. In particular, data transfers to other third countries based on own agreements as well as bulk access still need to be clarified more precisely. In principle, the data protection framework in the UK is very similar to that in Europe. However, British law provides for exceptions, especially with regard to national security and immigration. With Brexit, these exceptions now also apply to EU citizens. The MEPs also advised the national data protection authorities to suspend data transfers to the UK if the requested improvements are not made.
The development is to be welcomed, but the European Court of Justice (ECJ) “Schrems II” decision of July 2020 may impact the outcome. The decision could be called into question and courts may challenge the UK’s data adequacy status in the future.
The ECJ confirmed that the indiscriminate access to and retention of traffic and location data by UK intelligence services was unlawful (judgment on 6 October 2020, C-623/17). Therefore, even if an adequacy decision is adopted, it could still be subsequently overturned by the ECJ.
It appears that this is yet another extension of the Brexit transition period and the Brexit deal. A final decision by the Commission on the adequacy decision is expected in the coming months and will probably only be made after the end of the transition period. Companies are therefore strongly advised to secure data transfers with other safeguards such as standard contractual clauses.
Prepared for all Brexit contingencies?
Get your expert data protection advice now!