Scott McGeachy: European Commission publishes draft decisions to allow EU-UK data flows
The European Commission has published two draft “data adequacy” decisions in favour of the UK. If approved, these adequacy decisions will allow personal data to be transferred from the EU to the UK, without the need for organisations to put in place any additional safeguards. As such, these adequacy decisions will enable data flows to continue as normal between the EU and the UK, even after the end of the post-Brexit transition period, writes Scott McGeachy.
The European Commission has only previously granted data adequacy decisions in favour of a small number of countries around the world, including Switzerland, Israel, Argentina, Uruguay, Japan, Canada and New Zealand.
Draft decisions
The draft adequacy decisions conclude that the UK has a level of protection for personal data that is “essentially equivalent” to the level of protection guaranteed under the GDPR and the EU’s Law Enforcement Directive.
These draft decisions are partly influenced by the fact that the UK has fully implemented the GDPR in its own domestic law (now known as the “UK GDPR”). In addition, the European Commission gave particular weight to the UK’s continued membership of the European Convention on Human Rights and the European Court of Human Rights.
After the publication of the EU-UK Trade and Cooperation Agreement (“TCA”) in December 2020, it was widely expected that the European Commission would determine that the UK has an “adequate” data protection regime. The TCA introduced a short “bridging mechanism” to allow data flows to continue as normal until 30 June 2021 while the European Commission completed its “adequacy” procedures.
Next steps
As a next step, the European Commission will obtain a non-binding opinion on the draft decision from the European Data Protection Board (EDPB). Following this, the draft decisions will be submitted for approval to a committee of national representatives from EU Member States. If approval is obtained, the European Commission will then be able to formally adopt the two data adequacy decisions.
If the data adequacy decisions are adopted, this would be great news for businesses in both the UK and the EU. This would allow data to flow freely between the UK and the EU, and would avoid any need for businesses to put in place Standard Contractual Clauses in order to facilitate EU-UK data transfers.
Taking into account that the UK’s data protection laws may diverge / change over time, the European Commission’s adequacy decisions would only apply for an initial period of 4 years from the date they come into force. However, the European Commission may seek to extend the term of the adequacy decisions by an additional 4 years (i.e. 8 years in total). As such, these adequacy decisions would not be of indefinite duration, but would instead be subject to review / renewal on a regular basis.
In addition, in light of last year’s Schrems II case, it is possible that data privacy activists may seek to challenge the UK’s “adequacy” status in the courts. In particular, objections may be raised based on concerns about the UK’s national security procedures, including concerns about mass surveillance activities, and data sharing with US authorities. However, based on the progress of previous cases (e.g. Schrems I and Schrems II), it is likely that it would take at least a few years before any such legal challenge reaches the CJEU for final judgement.
Other post-Brexit data protection issues
If the two data adequacy decisions are formally adopted, there are still a number of other important post-Brexit data protection issues that many businesses will need to consider. This includes the following:
- Reviewing contracts and privacy notices to reflect the post-Brexit situation;
- Potential appointments of either EU representatives or UK representatives for compliance with EU and UK data protection laws; and
- Taking steps to address the fact that the GDPR’s “One Stop Shop” regulation system will no longer apply in the UK – this will have an impact on interactions with data protection regulators, including notification requirements in relation to data breaches.
Scott McGeachy is an associate at Burness Paull