UK adequacy decision

Monday 14th June, 2021

If the UK is not granted an “adequacy decision” by 30th June 2021, transfers of personal data from the EEA to the UK will be unlawful unless further safeguards are put in place by businesses such as the EU Commission’s Standard Contractual Clauses (“SCCs”).

Businesses should review their data flows as soon as possible and for transfers from the EEA to the UK, they should take steps to put the SCCs in place now.

What is the current situation?

For businesses to lawfully transfer personal data outside the EEA, there must either be an EU Commission adequacy decision for the receiving country or additional measures must be put in place by businesses to protect the data (such as the SCCs).

Following Brexit, the UK became a “third country” for the purposes of the GDPR which means transfers of personal data to the UK are treated the same as transfers of personal data to any other country outside the EEA without an adequacy decision such as the US.

On 28 December 2020, the UK and the EU agreed the Trade and Cooperation Agreement (“TCA”); with this came a 6 month “bridging period” during which UK businesses could continue to receive personal data from the EEA without further safeguards whilst the EU and UK negotiated an adequacy decision. The bridging period ends on 30th June.

A draft adequacy decision for the UK was released by the European Commission in February 2021 and is currently under consideration by representatives from each EU member state.

Although there are many similarities in the data protection framework of the EU and that of the UK, a few recent developments suggest the UK might not be granted adequacy by 30th June.

What is blocking an adequacy decision?

  1. There are ongoing concerns around the surveillance practices in the UK, namely the interception of communications under the UK’s Investigatory Powers Act 2016. In February this year, the LIBE Committee of the European Parliament issued a non-binding opinion on this which highlighted continuing concerns, together with uncertainty around the broadness of the immigration exemption under the Data Protection Act (since ruled invalid, see below).
  2. The immigration exemption set out in Schedule 2 of the Data Protection Act 2018 has been under the spotlight for some time and a recent Court of Appeal decision (R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800), ruled that the immigration exemption is not a valid (GDPR-compliant) exemption under national law, namely due to being too broad (and therefore failing the overarching test for “strict necessity”).
  3. Finally, there are concerns around the onward transfer of personal data from the UK to third countries once it has been received from the EEA.

What options are available?

  1. Binding corporate rules (“BCR’s”) – these are a set of approved rules that businesses may adopt to govern their data transfers. At present, the BCR’s tend to be reserved for very large corporates or a group of enterprises engaging in joint economic activity and do not offer a realistic alternative to most UK businesses.
  2. SCCs – these are a set of pre-approved clauses that may be adopted / incorporated into a wider formal written agreement governing the processing of personal data between two parties. The SCC’s may not be amended but do require tailoring when incorporated into contracts. The SCC’s are the most easily accessible and convenient safeguard.
  3. Exceptions – there are limited exceptions to the rules on international transfers in the GDPR. However, in practice these are rarely used, and most are only available for one-off data transfers.

What does this mean for businesses?

In the absence of an adequacy decision by 30th June, many businesses will find themselves without appropriate arrangements in place to lawfully transfer personal data from the EEA to the UK.

It may be that the UK’s adequacy decision is granted by 30th June or the bridging period is extended, but due to the current uncertainty and the risks associated with non-compliance, businesses should take steps to put the SCCs in place now.

 

This article is current as of the date of its publication. The information and any commentary contained in this article is for general information purposes only and does not constitute legal or any other type of professional advice.  Marriott Harrison LLP does not accept and, to the extent permitted by law, excludes liability to any person for any loss which may arise from relying upon or otherwise using the information contained in this article.

Articles by Chris Mooney