The European Commission published a draft decision on UK adequacy for transfers of personal data from the EU to the UK, which you can read here. This EC conducted an assessment of the UK’s GDPR framework under the UK Data Protection Act 2018, including data protection rules applicable to UK law enforcement and national security and surveillance. It concludes that the UK ensures an ‘essentially equivalent’ level of protection to that within the EU, under the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), meaning data transfers can flow from the EU to the UK without further safeguards.

Draft decision

Despite having left the EU, the UK remains a member of the European “privacy family”. The European Commission’s press release highlights that the UK remains party to (and is committed to remain party to) the European Convention of Human Rights and to “Convention 108” of the Council of Europe, further commenting that this is “of particular importance for the stability and durability of the proposed adequacy findings”.

The European Commission assessed the access and use of personal data by UK public authorities, in particular, for criminal law enforcement and national security purposes. It determined the UK laws demonstrated where there was interference with data protection rights, it was limited to what is strictly necessary and proportionate to the public interest objective pursued. There was an essentially equivalent level of protection to that of the EU and it does guarantee specific data protection safeguards and rights.

This decision has been welcomed by the UK government as ‘logical’, which will provide certainty for businesses, enable continued co-operation between the UK and EU and ensure law enforcement authorities can keep citizens safe. Further, the Information Commissioner, Elizabeth Denham, commented in a statement that this was an “important milestone in securing the continued frictionless data transfers from the EU to the UK” and welcomed the “progress” made.

While EU laws have shaped the UK’s data protection regime for decades, the European Commission is wary that the adequacy finding decision should stand the ‘test of time’ now that the UK is no longer bound by EU privacy rules. Thus, the European Commission has clarified that once the draft decisions are adopted, it will be valid for a period of four years. After this, it would be possible to renew this adequacy finding if the level of protection in the UK is still considered adequate after review.

Next steps

The publication of these draft decisions are the first steps to begin the process of adoption. These draft decisions will be shared with the European Data Protection Board who will provide an opinion (which is likely to be persuasive albeit non-binding), before the European Commission presents the draft decision to the committee composed of representatives from the EU Member States for formal approval. Until this happens, data flows between the EU and UK can continue under the interim regime that was agreed under the EU-UK Trade and Cooperation Agreement last year, which allowed for a time-limited bridging period of 6 months which is set to expire on the 30th June 2021.

The UK government has urged the EU to complete the technical approval process ‘swiftly’ to have these final data adequacy decisions as early as possible. They also stressed the importance of maintaining ‘seamless international data flows’ in this digitalised and ‘hyper-connected’ world.

It is possible that EU decision makers could raise concerns over the national surveillance laws, as they have done previously in the United States and that the UK adequacy decisions could still be challenged in the courts after its adoption, similar to the Schrems II judgement last year.

Nevertheless, this decision will come as a relief for businesses which rely on the regular transfer of personal data from the European Economic Area (EEA) to the UK, especially for those in the technology, financial or health sectors. It is important to note that the UK has already recognised data flows from the EU and EEA member states as adequate since 1 January 2021, as part of their efforts for a smooth transition.