On the 28th June 2021, the European Commission (Commission) adopted two adequacy decisions for the UK; one covering the GDPR and the other the Law Enforcement Directive (LED). Such decisions demonstrate that the Commission believes the UK ensures an ‘essentially equivalent’ level of protection to that within the EU. The implication of these decisions is that personal data can now flow freely from the EU to the UK, effective immediately.
On the 19th February, the Commission published two draft adequacy decisions and launched the procedure for their adoption, which we previously wrote about here. Since then, the Commission has carefully assessed the UK’s laws and practices on personal data protection, including access to data by public authorities in the UK. The European Data Protection Board gave its opinion on the draft decisions in support of the Commission’s findings, which we also blogged about here, before finally receiving the ‘green light’ from the EU Member states’ representatives.
The Commission’s 93-page GDPR decision assesses the legal framework for the UK in detail even referencing laws such as the Magna Carta and Bill of Rights, and states ‘As the UK GDPR is based on EU legislation, the data protection rules in the United Kingdom in many aspects closely mirror the corresponding rules applicable within the European Union.’ They conclude that ‘the Commission considers that the UK GDPR and the DPA 2018 ensure a level of protection for personal data transferred from the European Union that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.’
Key elements forming the basis of the final adequacy decisions
- The UK has fully incorporated the GDPR and the LED in its own legal system
- The Commission has identified that there are strong safeguards in place, such as the need for prior authorisation by a judicial body should a public authority wish to access data for security purposes, and measures taken are necessary and proportionate to the objective pursued.
- There are remedies in place if, for example, a person suspects they have been subject to unlawful surveillance as they can lodge a complaint with the Investigatory Powers Tribunal and seek redress.
- The UK is also subject to the European Court of Human Rights, and will have to adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
- Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision in order to reflect a recent judgment of the England and Wales Court of Appeal in this area. The Commission will reassess this exclusion once it has been remedied under UK law.
- For the national security or defence exemption under Article 26 of the Data Protection Act 2018 (DPA 2018) to apply (which exempts personal data from most of the data protection principles and obligations, and individuals’ rights, where this is required to safeguard national security or for defence purposes), the Commission considered the ICO’s guidance in this area and has said this can only be applied to the extent it is required to safeguard national security or defence. The ICO’s guidance states this must be considered and applied by the controller on a case by case basis and cannot be a ‘blanket exemption’. The controller relying on the exemption must “show that there is a real possibility of an adverse effect on national security” and will be expected to provide the ICO with evidence about why it has relied on this exemption.
- Competent authorities may make use, under certain conditions, of the powers provided by the Investigatory Power Act 2016 (IPA 2016). In this case, the safeguards provided by the IPA 2016 will apply in addition to those provided by Part 3 of the DPA 2018.
- The National Crime Agency or the Chief of Police are listed as examples of law enforcement authorities who can use targeted investigatory powers, namely under the IPA 2016. In this case, the safeguards provided by the IPA 2016 will apply in addition to those provided by Part 3 of the DPA 2018.
In the UK Government’s press release about the Commission’s decisions, they ‘welcome the move’ and reinforced the fact that they have already recognised the EU and EEA member states as ‘adequate’, as part of its commitment to establish a smooth transition for the UK’s departure from the European Union. Further, the government announced its own plans to promote the free flow of personal data globally and across borders, including through trade deals and new data adequacy agreements with some of the fastest growing economies, while ensuring people’s data continues to be protected to a high standard.
It is important to note that both adequacy decisions include a ‘sunset clause’, which means they will last for four years after their entry in force, which is until 2025. During these four years, the Commission will monitor the legal situation in the UK and could intervene at any time, if the UK deviates from the current level of data protection. After this period, adequacy findings may be reviewed and renewed if the UK continues to ensure the essentially equivalent level of data protection as the EU.
For organisations operating in the UK, this news will be a sigh of relief. The decision has thankfully become effective before the end of the interim six month ‘bridging period’ agreed under the UK – EU Trade and Cooperation Agreement, allowing personal data to be transferred from the EU to the UK without the need for any additional safeguards, which was set to expire on the 30 June.