European Union: European Commission Adopts Adequacy Decisions For The UK

Following approval from the EU Council of Ministers earlier this month, the EU Commission announced on 28 June 2021 that it has adopted two adequacy decisions for the UK: (i) under the General Data Protection Regulation (2016/679/EU) (GDPR); and (ii) under the Law Enforcement Directive (2016/680/EU) (LED). The Commission explains that this means that personal data can now flow freely from the EU to the UK where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. Following the end of the Brexit transition period on 1 January 2021, data flows have continued pursuant to a "bridging mechanism" contained in the EU-UK Trade and Cooperation Agreement (TCA), which expired on 30 June 2021.

The Commission says that both adequacy decisions include strong safeguards in case of future divergence by the UK, including a "sunset clause", which limits the duration of adequacy to four years.

According to the Commission, the key elements of the adequacy decisions include:

• the UK's data protection system continues to be based on the same rules that applied when the UK was a Member State of the EU; the UK has fully incorporated the principles, rights and obligations of the GDPR and the LED into its post-Brexit legal system;
• with respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards; in particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body; any measure needs to be necessary and proportionate to what it intends to achieve; any person who believes they have been the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal; the UK is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights, as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is the only binding international treaty in the area of data protection;
• the adequacy decisions include a "sunset clause", which strictly limits their duration to four years; after that period, the adequacy findings might be renewed, but only if the UK continues to ensure an adequate level of data protection; the Commission will continue to monitor the legal situation in the UK and could intervene at any point if the UK deviates from the level of protection currently in place; should the Commission decide to renew the adequacy finding, the adoption process would start again;
• transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect the Court of Appeal's judgment in The Open Rights Group v The Secretary of State for the Home Department [2021] EWCA Civ 800 on the validity and interpretation of certain restrictions of data protection rights in this area; the Commission will reassess the need for this exclusion once the situation has been remedied under UK law.

To read the Commission's press release in full and for links to the adequacy decisions, click here.

Originally published 5 July 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.