The European Commission has published (19 February 2021) draft decisions on the adequate protection of personal data by the UK under both the EU's General Data Protection Regulation (EU GDPR) and the Law Enforcement Directive.
Publication of the drafts is only the first step in the adequacy process: the opinion of the European Data Protection Board, approval from representatives of EU countries and final adoption by the European Commission are still to come. The UK government in its press release described what is still to come as a "technical approval process", and urged the EU to complete this swiftly, so that final adequacy decisions are in place as soon as possible. The recent Japanese adequacy decision took approximately four months to be finalised from publication of the draft decisions (though it took almost two years in total), and, within those four months, required several rounds of discussions with the European Data Protection Board.
The progress of the adequacy process to this point will come as very welcome news for both UK and EU businesses. In many ways, it should not be a surprise: UK data protection laws are – for the most part – identical to EU data protection laws, and, if the UK were not deemed adequate, the bar would be set incredibly high for future adequacy decisions (and reviews of existing adequacy decisions).
Why is an adequacy decision important?
Post-Brexit, the UK is a third country for the purposes of the EU GDPR, which – without an adequacy decision – makes transferring personal data from the EU to the UK more difficult.
The EU-UK Trade and Cooperation Agreement (TCA) put in place an interim solution buying the EU more time to conclude its formal adequacy decision. Under the TCA, transfers of data to the UK are to be considered as if they were still transfers within the EU – so no other transfer mechanisms, such as standard contractual clauses (or supplementary measures), are required for those transfers for the moment. However, there are strings attached:
- the interim solution is for a limited period of up to four months, extendable to six months, so a future potential "cliff edge" at the end of April or June 2021 is still possible if the adequacy process drags on (or does not deem the UK to be adequate); and
- while the interim solution applies, the UK effectively has to preserve its existing data protection regime, and is precluded from altering it or exercising certain powers under it (for example, to enter into new international data transfer arrangements) except in limited circumstances.
What would an adequacy decision mean practically for businesses?
If the European Commission does finally conclude that the UK is adequate, it means that transfers of personal data from the EU to the UK can continue to be made without any further safeguards being necessary. Practically, that means that businesses will not need to re-paper contracts to include the standard contractual clauses, or to conduct transfer impact assessments.
That will be a big relief for many businesses already having to do that exercise for transfers of personal data to other third countries that have not been deemed adequate; such as, the US and India.
What are the potential challenges?
Even if adequacy is granted for the UK, that is unlikely to be the end of the story for EU-UK data transfers. Much has already been made of the potential challenges with granting the UK adequacy; including the UK's surveillance practices, and its arrangements with the US. It seems that the Commission has sought to address those concerns already in the oversight mechanisms included in the draft decisions, though those mechanisms are no guarantee that adequacy won't be challenged by privacy rights organisations and others, in the future.
For now, though, this is good news.