Last week there was big news – breaking for some, expected for others. The EU Commission has published a positive adequacy decision to the UK. This means that personal data can continue to flow freely from the EU to the UK without the need for organisations to take further measures, despite the fact that the UK is not in the EU anymore.
What is an adequacy decision?
First of all, let’s talk about what an adequacy decision is.
Do you process personal data that someone outside the European Economic Area (EEA) has access to? Do you use service or cloud providers that are established outside the EEA? The GDPR calls this ‘Transfer of personal data to a third country‘. A transfer is not a mere transit – processing of personal data needs to take place as well. As a rule of thumb, these transfers are prohibited. Despite this general prohibition, it is still possible to transfer personal data to a third country (aka any country outside the EEA) but the rules are strict. The reason why is because the EU wants to ensure that data subjects will have the same level of personal data protection as the ones they enjoy in the EU.
Once a country is considered to have an adequate level of data protection laws, the EU Commission publishes the so-called “adequacy decision” and no additional safeguards need to be in place for transfers of personal data to these countries. This is how the EU Commission ensures that data subjects will have the same level of data protection as they have in the EEA.
The UK case
As you might have heard, the UK left the EU on 31 January 2020. From a data protection perspective, that meant that the UK, as of this date, is considered a third country. So from one day to another, you could only transfer personal data to the UK with the use of appropriate safeguards like Standard Contractual Clauses (SCC’s). The thing here is that the UK already has a data protection regime in place similar to the EU one. The GDPR has been UK national law since the enforcement of the GDPR on the 25th of May 2018 (the so-called now UK GDPR).
Therefore, after Brexit, the UK asked for an adequacy decision so that the transfers of personal data will continue as usual. The Commission needed more time to assess whether they would grant an adequacy decision or not, so in the meantime, the UK was given a transitional period where personal data was transferred as usual.
Before the expiration of this transitional period, the EU Commission granted the long-awaited adequacy decision.
Points of concern regarding the UK adequacy decision
On 19 February, the Commission published two draft adequacy decisions and launched the procedure for their adoption. Concerns were raised both from the EU Parliament and the European Data Protection Board about the implementation of the UK’s data protection regime and more specifically about the two exceptions in the fields of national security and immigration, which now also apply to EU citizens wishing to stay or settle in the UK. Notwithstanding these concerns, the EU Commission published a positive adequacy decision for the UK, which, as of last week, has been criticised on the following points:
UK mass surveillance
The UK has mass surveillance and the most problematic point is the indiscriminate bulk collection of personal data (in particular communications data), for national security purposes. The EU Commission has been criticised that in the adequacy decision and more particularly under the section “Government Access”, they just describe the surveillance regime rather than analysing this regime.
The immigration exception
The immigration exemption, (Schedule 2 of the DPA 2018), allows the Home Office and other organisations or companies involved in “immigration control” to refuse access to personal data held about individuals if it might “prejudice the maintenance of effective immigration control”
The UK adequacy decision (Recital 6) carved-out the immigration exception from the scope of the adequacy decision (“This conclusion does not concern personal data transferred for United Kingdom immigration control purposes or which otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control (the “immigration exemption”) pursuant to paragraph 4(1) of Schedule 2 to the UK Data Protection Act”)
This exception has been the reason why many (including the EU Parliament and the EDPB) have expressed the view that the UK should not be granted an adequacy decision. Note also that in May 2021 the Court of Appeal of England and Wales declared the immigration exemption illegal under the GDPR.
Is this the final act of the Brexit drama?
For the first time an adequacy decision includes a so-called ‘sunset clause‘, which strictly limits its duration. This means that the decision will automatically expire four years after its entry into force. After that period, the adequacy findings might be renewed only if the UK continues to ensure an adequate level of data protection.