On 28th June 2021 the European Commission adopted an adequacy decision under Regulation (EU) 2016/679 (GDPR) (the "Decision") for the transfer of data from the EEA to the UK, the first such decision in the post-Brexit era. As a result, the UK is now the 13th country considered officially as a third country which provides an adequate level of protection under Article 45(3) of the GDPR and personal data can move freely to it from anywhere in the EEA.
Challenging as it may have been, keeping up with EU legal developments during the Brexit transition period amidst political pressure on the government to dispose of the GDPR has been a key factor which has undoubtedly played a crucial role in taking this decision. As admitted by Commission VP, Vera Jurova, "the UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today."
In carrying out its assessment of the UK's legal framework in this area, the Commission took into account the fact that the possibility of access to personal data by public authorities in the UK for public security reasons is subject to prior authorisation by an independent judicial body and the principle of data minimisation and the fact that under UK law data subjects have the right to recourse to a special tribunal and the European Court of Human Rights. It also took into account the UK's international commitments arising under the European Convention of Human Rights and the Council of Europe Convention for the Protection of Individuals with regard to Automated Processing of Personal Data.
It is also noted that personal data that is transferred for purposes of United Kingdom immigration control or that otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control is excluded from the scope of the Decision.
The Decision will apply for a period of 4 years, with the possibility of extending it for another 4 years if the relevant adequacy findings are still factually and legally justified. In the meantime, as stated in the Decision itself, the Commission will be monitoring on an ongoing basis the relevant developments in the UK and it may suspend, repeal or amend this decision at any time.
At the same time, it places an obligation on the United Kingdom authorities to promptly inform the Commission of any material change to the UK legal order that has an impact on the legal framework that is the object of this Decision, as well as any evolution in practices related to the processing of the personal data assessed in this Decision. In addition, Member states should also inform the Commission about any relevant action undertaken by the national data protection authorities, in particular regarding queries or complaints by EU data subjects concerning the transfer of personal data from the Union to controllers or processors in the United Kingdom.
No doubt a failure to adopt such decision on the part of the European Commission would have had a potentially significant financial impact on UK businesses, especially technology companies and generally all businesses who rely on cross border data transfers as part of their day-to-day operations (from the execution of simple payroll functions to e-commerce and the provision of cloud storage solutions). Although significant discontent has been averted for now thanks to the Decision, the Commission has been made it very clear that the UK will need to remain transparent and continue to demonstrate consistency and commitment to EU privacy laws and international human rights to maintain this honorary status and remain on its "good third country" list.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.