Charlotte Smith considers two recent adequacy decisions and explains how this affects existing data practices.
After six months of waiting, it was confirmed on 28 June 2021 that the European Union has granted the UK an adequacy decision for data protection. In fact, there have been two adequacy decisions – one under the GDPR, and another in relation to processing under the Law Enforcement Directive.
What does this mean?
Under the EU GDPR, personal data cannot be transferred to a country outside of the European Economic Area without an appropriate safeguard being put in place (e.g. standard contractual clauses and binding corporate rules under the GDPR), unless that personal data was being transferred to a country with an adequacy decision.
When the UK left the EU and the Brexit deal was finalised an adequacy decision had not yet been determined. Instead a six month bridging period was agreed which allowed personal data to continue to flow freely whilst the EU determined if an adequacy decision would be granted. That adequacy decision
is now in place.
This means that personal data can still flow from the EU to the UK without the need for appropriate safeguards or relying on an exception under Article 49 of the EU GDPR. As the UK also does not require appropriate safeguards for transfers of personal data to the EU then this adequacy decision means that personal data can more easily flow between the UK and EU. This is a decision that will be welcomed by organisations operating in both the UK and EU who were likely becoming concerned that they may need to quickly put standard contractual clauses in place and amend their data practices, if they had not already done so.
What do the adequacy decisions say?
It is time limited. Unlike adequacy decisions granted by the EU to other countries, the adequacy decisions granted to the UK are for 4 years and are not indefinite. The EU acknowledges that, for now, the UK’s data protection legislation is very closely aligned to the EU; post-Brexit the UK brought the GDPR into UK and the EU’s Law Enforcement Directive is incorporated into UK
law through the Data Protection Act 2018.
After those four years the adequacy decision can be renewed if the EU considers that the UK continues to provide an adequate standard of protection for the personal data of individuals in the EU.
It will be interesting to see if the time limited nature of the adequacy decision will impact on any updates to data protection legislation that the Government may be considering. The recent report by the Taskforce on Innovation, Growth and Regulatory Reform suggested replacing the GDPR in the UK and we wait to see if the Government decides to adopt those recommendations. The EU Commission is likely to be following those developments carefully when considering whether to extend the adequacy decision in the future.
Organisations relying on these adequacy decisions for long term transfers of personal data should bear this in mind. It may be worth considering if contracts should include explicit provisions for the data protection provisions to be revisited in future to address the transfer of personal data from the EU.
The GDPR adequacy decision also does not cover transfers of personal data for the purposes of UK immigration control. This is because of the Court of Appeal’s recent judgement in R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others  EWCA Civ 800.
The Court of Appeal held that the immigration exemption set out in Schedule 2 of the Data Protection Act 2018 was not compliant with the GDPR. The EU Commission has indicated that it will reassess whether this immigration exclusion is needed once the UK has addressed the findings of the Court of Appeal.
Charlotte Smith is an Associate at Sharpe Pritchard LLP.
For further insight and resources on local government legal issues from Sharpe Pritchard, please visit the SharpeEdge page by clicking on the banner below.