On 13 April 2021, the European Data Protection Board ("EDPB") adopted two opinions ("Opinions") concerning draft UK adequacy decisions published by the European Commission which would permit the free flow of personal data from the European Economic Area ("EEA") to the UK in the post-Brexit world.
The Opinions largely support the draft UK adequacy decisions and represent a positive step towards adoption of formal UK adequacy decisions. Nonetheless, organisations which transfer personal data from the EEA to the UK should continue to monitor the developments and keep planning for the possibility that the adequacy decisions, if adopted, could be withdrawn after the initial four-year period (or even earlier) or overturned by the Court of Justice of the European Union, as seen twice already in the case of the Safe Harbour and the Privacy Shield for personal data transfers to the United States.
Setting the Context
Following the end of the Brexit transition period on 31 December 2020, transfers of personal data from the EEA to the UK have been freely permitted by virtue of a six-month additional transition period provided for in the EU-UK Trade and Cooperation Agreement (see our alert here for further details). Once the transition period ends on 30 June 2021, transfers of personal data from the EEA to the UK will be subject to rules contained in Chapter 5 of the EU General Data Protection Regulation ("GDPR").
The simplest solution for businesses to transfer personal data freely between the EEA and the UK would be the adoption by the European Commission of a UK adequacy decision, whereby the European Commission determines that the data protection laws of the UK are adequate to those under EU law. Should the UK receive an adequacy decision, subject to any conditions of that decision, personal data would be permitted to flow freely from the EEA to the UK without the need to deploy any further measures to legally effect the transfer.
Whereas the UK has already determined that UK personal data can flow freely to the EEA without the need for further measures, the European Commission's decision to commence the formal procedure to adopt two adequacy decisions for the UK in February 2021 signalled a positive development for organisations that rely on EEA to UK cross-border data flows. The Opinions now presented by the EDPB are a step in the process towards adoption of the formal UK adequacy decisions.
Specifically, the Opinions are in response to the European Commission's draft adequacy decisions concerning:
- the adequacy of protection of personal data in the UK pursuant to the GDPR (Opinion 14/2021) ("First Opinion"); and
- the adequacy of protection of personal data in the UK pursuant to the EU Law Enforcement Directive (EU) 2016/680, which covers processing of personal data by authorities for the prevention, investigation and prosecution of criminal offences ("LED") (Opinion 15/2021) ("Second Opinion").
In its First Opinion, the EDPB outlined that the GDPR had been mostly mirrored by the UK in its domestic data protection framework. For instance, the EDPB draws attention to the alignment on certain core data protection provisions, such as grounds for lawful and fair processing for legitimate purposes, purpose limitation, data quality and proportionality, data retention, security and confidentiality, transparency, special categories of data, direct marketing and automated decision making and profiling.
The EDPB also identified a number of challenges which the EDPB recommends and invites the European Commission to further assess and address. Such challenges include:
- Risks to transferred EEA personal data in light of UK Government indications to develop separate and independent policies which could cause divergence between the UK and EU data protection frameworks.
- The "immigration exemption" contained in Schedule 2 of the UK Data Protection Act 2018.
- Onward transfers of EEA personal data from the UK, which should
only be permitted from the UK to third countries if the level of
data protection in the importing third countries is also
"essentially equivalent" to the GDPR. This might not be
the case, for example, in the following situations:
- where there are inconsistencies between the UK and European adequacy regimes (which currently mirror each other), for instance should the European Commission decide certain countries are no longer adequate from a European data protection perspective;
- where future international agreements concluded between the UK and third countries may facilitate direct access to EEA personal by third countries' authorities;
- where UK legislation may provide for additional onward transfer tools in the future which do not align with EEA requirements, such as safeguards following the Schrems II decision (see our alert for further details); or
- where the UK Information Commissioner's Office interpretation of the derogations in Article 49 UK GDPR no longer aligns with those of the EDPB.
- Access to personal data by government authorities. The EDPB welcomes the existence of the Investigatory Powers Tribunal ("IPT") and of Judicial Commissioners. However, the EDPB sees the need to further assess cases in which a lawful interception is possible without approval of the IPT or the Judicial Commissioners.
The EDPB welcomed the European Commission's decision to include a sunset clause in the draft adequacy decision, setting its expiration date to four years after its entry into force. In addition to this and in light of the identified challenges, the EDPB invited the European Commission to monitor all relevant developments in the UK and suspend and/or amend the GDPR adequacy decision, if necessary.
In the Second Opinion, the EDPB found that there is a "strong alignment" between the essence of the fundamental principles and the core provisions in the LED and in the UK legal framework. The EDPB has made a number of recommendations to the European Commission and the EDPB welcomed the European Commission's decision to introduce the four-year sunset clause like in the case of the draft GDPR adequacy decision.
Similarly to the First Opinion, the EDPB advises the European Commission to closely monitor the developments regarding the UK data protection legislation and amend or suspend the LED adequacy decision, if necessary.
Given the depth and substance of the remarks of the EDPB, the European Commission may amend the draft adequacy decisions for the UK to address the EDPB's concerns. While this may delay the adoption process, it is a positive development, given that the amended adequacy decisions should be more likely to withstand scrutiny by the Court of Justice of the European Union.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.