EU adopts adequacy decisions allowing data flow to UK | Clark Hill PLC
Personal data may continue to flow freely between Europe and the United Kingdom (United Kingdom) following an agreement by the European Union (EU) to adopt an adequacy decision under Article 45 of the Regulation 2016/679 (the General Data Protection Regulation or GDPR) concerning the UNITED KINGDOM.
Transfers of personal data (as defined in the GDPR) to countries outside the European Economic Area (EEA) (referred to as “third countries”) are not, courtesy of Article 44 of the GDPR , permitted, except in the event of an adequacy decision, appropriate safeguards such as standard data protection clauses (issued in a form pre-approved by the Commission) or binding corporate rules (which must be approved by the Commission case by case). The Schrems II decision of July 2020 invalidated the Privacy Shield regime that previously legitimized transfers of personal data from the EEA to the United States. This brought to light the other aforementioned means of legitimate data transfers.
In the aftermath of Brexit, many wondered how data transfers between the EU and the UK would work, since from the effective date of the UK’s withdrawal from the EU (December 31, 2020), the United Kingdom would be considered a third country and, therefore, subject to the restriction in Article 44.
The adoption by the European Commission of an adequacy decision involves:
- A Commission proposal;
- An opinion from the European Data Protection Board (which replaced the Article 29 working group);
- Approval from representatives of EU Member States; and
- Adoption of the decision by the Commission.
The aim of this four-step process is for the Commission to assess whether a third country offers an adequate level of data protection. The European Commission has already published adequacy decisions for Andorra, Argentina, Canada (trade organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand , Switzerland and Uruguay.
Given the level of trade between the UK and the EU (around 50% of UK imports and exports from 2020) and the necessary corollaries in the levels of personal data transfers, it was important to ensure that future transfers would comply with GDPR requirements. on the post-Brexit agenda. The process began in February 2021 and ended four months later, on June 28, 2021, when the adequacy decision was adopted. The previous average for an adequacy decision was 28 months, so the pace at which that decision was completed indicates the political will and economic importance placed on the process. The GDPR adequacy decision was accompanied by a concurrent adequacy decision under the Law Enforcement Directive that works hand in hand with the GDPR in regards to police and security data transfers. .
The UK’s adequacy decision process will have incorporated a careful review of the UK’s legislative framework as well as its international commitments and the functioning of the Information Commissioner’s Office (the UK supervisory authority responsible for Data protection). It is almost certain that the UK’s adoption of the GDPR as national law (although it is a ‘frozen’ version of the GDPR as it stands in 2020) will have had an impact. very positive on this evaluation. Against this, the Commission will have weighed its concerns about the UK’s oversight regime under the Investigative Powers Act 2016.
The adoption of the adequacy decision (s) is to be welcomed by companies involved in trade with the UK and / or transactions with UK companies to which personal data of EU data subjects are transferred. However, the UK’s adoption of GDPR carries a risk, if not certainty, of some divergence over data protection laws in the future. As this evolves, the Commission may exercise its power to revoke adequacy decisions. With this leverage comes the prospect that in reality the UK may remain subject to the continued development of EU data protection law.