It finally happened. It’s a done deal. The UK received an adequacy decision from the EU Commission. We will not have to do this again!
At least for another four years!
At the end of last week, the EU states unanimously granted an adequacy decision for the UK, meaning data can continue to flow freely from the EU to the UK. The free flow of data was in jeopardy and the end of the most recent extension was to be June 30th. All this confusion and uncertainty is a result of the lingering aftermath of the whole Brexit thing. Do you remember that? It seems forever ago.
While the UK officially left the EU 30 January 2020, there were many lingering issues, and on privacy and data protection, EU law continued to apply during the transition period. The transition period lasted throughout 2020 while UK and EU negotiators attempted to hammer out a deal on “adequacy.” Adequate countries offer a level of protection for data and privacy that is “essentially equivalent” to the EU.
After an entire year of negotiations, a permanent resolution was delayed by the EU-UK Trade and Cooperation Agreement. This extended the negotiation period allowing continued data transfers through June 30th. You might be wondering what all the fuss is about since the UK formalized the GDPR into its own domestic legislation. Well, questions linger about the UK’s commitment to EU style privacy and data protection law.
Briefest of Histories
In February, the EU Commission presented drafts for two adequacy decisions. Following the draft adequacy decision, the EU Parliament expressed considerable doubts about the UK’s commitment to the GDPR, especially in areas of national security and immigration control.
In a resolution issued in May, EU Parliament urged the EU Commission to review its draft adequacy decision. The Court of Justice of the European Union (CJEU) also weighed in issuing an opinion in a lawsuit brought by Privacy International. The CJEU noted that the massive collection of communication and location data is not compatible with the EU Charter of Fundamental Rights. In another decision in May, the European Court of Human Rights described the UK’s mass surveillance program as a violation of human rights.
Well, with the deadline approaching, the EU scrambled to get a vote on adequacy decision done.
As mentioned, three times now, concerns linger, and the privacy community responded with a combination of disgust and relief. An adequacy decision was reached, and this paper will parse some of the important reasons that supported the decision while outlining some those contradictions and concerns.
What is in the Decision?
It really should not be much of a surprise the UK received an adequacy decision. As it is currently written, the UK GDPR virtually mirrors the EU GDPR including similar definitions for key terms like personal data, special category data, processing, controller and processor designations as well as the legal bases for the processing of data. The UK GDPR also adheres to the main principles of the EU GDPR such as:
- Purpose limitation
- Data Accuracy
- Data Minimisation
- Storage Limitations
- Data Security
The UK GDPR also provides for the gambit of Data Subject Rights contained in Articles 15 to 22 in the EU GDPR. Other important inclusions in the UK GDPR that distinguishes its laws from say for example the United States, is independent oversight by a Supervisory Authority, the Information Commissioner’s Office, as well as opportunities for individuals to seek judicial redress including in the context of exemptions provided by national security or criminal law enforcement. See for example recital 134 that says “The law of the United Kingdom imposes a number of limitations on the access and use of personal data for criminal law enforcement purposes, and provides oversight and redress mechanisms” and recital 170, “a data subject has the right to lodge a complaint with the Information Commissioner,” read in conjunction with recital 171 “the DPA (Data Protection Act) 2018 provides the right to a remedy against the Information Commissioner if it fails to appropriately handle a complaint made by the data subject,” and recital 172 “individuals can obtain judicial redress against controllers and processors directly before the courts.”
The Decision also notes the UK has ratified the European Convention of Human Rights, and all public authorities in the UK are required to act in compliance with the conventions. Any interference with privacy must be in accordance with the law and proportionate in light of that aim. The Decision concluded that continued membership in the Council of Europe, the European Convention of Human Rights, and submission to the jurisdiction of the European Court of Human Rights is “a particularly important element of the assessment on which this Decision is based.”
Restriction on Onward Transfers
Notably singled out for comment is the “restriction on onward transfers.” The decision notes that “the level of protection afforded to personal data transferred from the Union…must not be undermined by the further transfer of such data to recipients in a third country.” Of course, the UK is now free to decide its own regulations, including the UK equivalent to an adequacy decision under the EU GDPR. It will be interested to see if the UK makes an adequacy findings, for example for the United States, where the EU has not.
In the absence of adequacy regulations, international data transfers can take place pursuant to implementation of appropriate safeguards like those under Article 46 of the GDPR including standard contractual clauses, binding corporate rules, and Article 49 derogations. One point to keep in mind is that the new standard contractual clauses issued by the EU Commission are not legally binding in the UK. The Information Commissioner’s Office (ICO) is expected to release its own version later this year.
Another interesting piece of information is the enduring legacy of Schrems I where any EU data protection authority can independently assess the adequacy of the UK’s data protection regime. Recital 280 notes this saying “where a national data protection authority questions…the compatibility of a Commission adequacy decision with the fundamental rights of the individual to privacy and data protection, national law must provide it with a legal remedy to put those objections before a national court which may be required to make a reference for a preliminary ruling to the Court of Justice.” “Schrems III” anyone?
The Sunset Clause
Finally, we reach the section on “MONITORING, SUSPENSION, REPEAL OR AMENDMENT OF THIS DECISION.” The EU Commission is obligated to monitor developments in the UK following the adoption of the Decision “to assess whether it (UK) still ensures an essentially equivalent level of protection.” And there is a sunset clause on the adequacy decision, the first of its kind, listed under Recital 289 saying “It is therefore appropriate to provide that this Decision will apply for a period of four years as of its entry into force.”
Extraordinarily, almost in parallel with the vote on the Adequacy Decision, the UK’s Taskforce on Innovation, Growth and Regulatory Reform issued its recommendations to the Prime Minister on “how the UK can reshape its approach to regulation and seize new opportunities from Brexit with its newfound regulatory freedom” with a section titled “Replace GDPR with a new UK framework for data protection.” For those inclined towards entertainment or schadenfreude, this may be an interesting area to watch.