After the Brexit vote and another year of negotiations, 2020 came and went without a decision by the EU on the adequacy of the UK’s data protection laws. In the Trade Cooperation Agreement, the EU and the UK agreed to extend the negotiation period by six months, allowing for the continued free flow of data between the EU and the UK. On 19 February 2021, the EU Commission released two draft adequacy decisions. If approved, the two adequacy decisions extend beyond the six-month extension period and allow for the continued free flow of data from the EU to the UK.
The Commission released two draft adequacy decisions: one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. The draft decisions represent the Commission’s assessment of the UK’s laws including the rules on access to data by public authorities that so irked the Court of Justice of the European Union in its Schrems II decision.
The EU Commission concluded in its drafts that the UK ensures an essentially equivalent level of protection as guaranteed under the GDPR. This essential equivalence was a major point of contention. While the UK has adopted its own version of the GDPR, there is a fear that the UK’s data protection practices may begin to diverge from the EU in the post-Brexit period.
This is addressed in the draft decisions current form that would be adopted for a period of four years and would require renewal of the adequacy finding. This renewal requirement allows the EU Commission to “react in cases of ‘problematic divergence from EU data rules, ‘to terminate or suspend the decision, or to not renew the decision in four years’ time.’”
The drafts will now go to the European Data Protection Board (EDPB) for a non-binding opinion before the Member States consider the proposals. If the proposals are given the go ahead, the Commission then has the option of adopting the two adequacy decisions.
Until then, data flows may continue between the EU and the UK thanks to the Trade Cooperation Agreement. The interim period expires on 30 June 2021.
What is Adequacy?
Article 45 of the GDPR and Article 36 of the Law Enforcement Directive grant the Commission the power to decide that a non-EU country ensures an “adequate level of protection” for personal data that is essentially equivalent to the level of protection within the EU. If a non-EU country is “adequate,” transfers of personal data from the EU to the non-EU country can take place without further safeguards.
While the UK has deemed the EU “adequate,” the EU conducted an inquiry into the protection of personal data in the UK. In the UK, the processing of data is governed by the UK GDPR and the Data Protection Act 2018. These two pieces of legislation are based on the EU GDPR and the Law Enforcement Directive and provide similar safeguards like individual rights and redress, rules on data transfers, and obligations for controllers and processors as those available under EU law.
What Happens Next?
The UK government applauded the draft decisions and is now urging the EU to move swiftly through the approval process before the “bridging mechanism” expires on June 30. The drafts now to go to the European Data Protection Board for a non-binding opinion before the Member States consider the proposals. If the proposals are given the go ahead, the Commission then has the option of adopting the two adequacy decisions.
Adoption of adequacy will provide businesses with certainty over their data transfer practices that have been left in limbo following Brexit and the conclusion of the transition period. As Rafi Azim-Khan, the head of data privacy at Pillsbury law says, the drafts were a “sigh of relief” but the “draft still needs to be formally approved, and there is still the possibility that in four years’ time the EU changes its mind.”
As the EDPB considers the drafts, they will be tasked with examining the Investigatory Powers Act of 2016, which provides the framework for collecting information for national security purposes. In a tweet on Friday, Max Schrems, the named plaintiff in the Schrems II case that led to the invalidation of the EU-US Safe Harbor and Privacy Shield agreements wrote, “We will take a look at the UK adequacy decision once it is out. There seems to be little doubt about adequacy of the commercial data use. At the same time there are obviously issues on UK government surveillance on EU data, which requires deeper analysis.”
To complicate matters, the UK is part of the Five Eyes nations that has signed what some argue is a controversial agreement with the US over the sharing of intelligence information. This raises concerns that data transferred from the EU to the UK will from there be transferred onwards to the United States surveillance apparatus.
We will await the EDPB’s opinion on these issues and more in the coming weeks and months.