In a ruling on 29 June 2021, the European Commission recognised the UK’s high standards of data protection as equivalent to its own, granting an “adequacy decision” which will allow for the continued, cross-border transfer of personal data from the EU to the UK. This decision came at the eleventh hour, with the “bridging period” granted under the Trade and Cooperation Agreement (TCA) agreed between the UK and the EU in December 2020 due to expire at 11:59pm on 30 June 2021. The bridging period permitted UK based businesses to continue to rely on the adequacy granted to EU based businesses on a temporary basis.
What does the adequacy decision mean for UK-based businesses?
In anticipation of a final adequacy decision not being reached by 30 June 2021 (and particularly in the last few weeks when the EU Commission remained dangerously silent), many businesses may have prepared for the worst by adopting additional safeguards for more stringent future requirements, namely by taking steps to draft the EU Commission’s Standard Contractual Clauses (which, to make matters more complicated, have recently been updated) into their existing contracts, or to prepare new template contracts.
Practically, the approved decision means that any additional safeguards factored into new or existing contracts will no longer be required, and businesses may put aside any pre- prepared amended documentation.
This is not the end of the story. The adequacy decision contains a “sunset clause” meaning that it is only valid for 4 years, after which it will be reviewed by the European Commission (and every 4 years thereafter). Further, though adequacy has been granted, it is still subject to challenge and there is a possibility (some being of the view that this is a probable possibility), of imminent challenge. This largely links with ongoing concerns over the UK’s surveillance laws which put the draft adequacy decision in the spotlight earlier this year; if challenged, the Court of Justice of the European Union (CJEU) have the power to declare the adequacy decision invalid. Given the decision last year by the CJEU to declare the EU-US privacy shield invalid in connection with what has become known as the “Schrems II case”, this is a real concern.
Ultimately, the adequacy decision will be welcomed as good news – it preserves the UK’s relationship and co-operation with the EU, allows for the smooth transfer of personal data and minimises disruption to businesses.
However, the EU plans to closely monitor how the UK data protection framework evolves, and the risk of challenge to the adequacy decision by those of the view that it should not have been granted in the first place, serves as a reminder to UK-based businesses to stay alert, monitor updates in connection with the adequacy decision and to also take steps to ensure their continuous compliance with data protection laws more generally.