On February 19, 2021, the European Commission (EC) published two draft implementing decisions to enable the continuing free-flow of personal data from the EU to the UK (the Draft Adequacy Decisions) i.e., post-Brexit: (i) for transfers of personal data under the EU General Data Protection Regulation (EU GDPR); and (ii) for transfers of personal data under the Law Enforcement Directive (LED). This will come as a huge relief to companies across all industries who are in parallel already grappling with the repercussions of Schrems II. In fact, the Draft Adequacy Decisions (which collectively run to almost 140 pages) are the first of their kind in a post-Schrems II world and will likely be closely reviewed—including by privacy advocate Max Schrems who has promised his Twitter followers to “take a look at” the Draft Adequacy Decisions in particular with regard to the LED (i.e., which addresses UK government surveillance activities).
What transfers are restricted under the GDPR?
The EU GDPR prohibits the transfer of personal data to a country outside the European Economic Area (EEA) (otherwise known as a third country) that is not considered to provide an ‘adequate level’ of data protection by the EC unless ‘appropriate safeguards’ are implemented (e.g., Standard Contractual Clauses) or a derogation under the GDPR can be relied on (e.g., consent of the data subject). To date, 12 countries have been deemed ‘adequate’ by the EC (including, for example, Argentina, Canada (commercial organisations), Israel, Switzerland, and most recently, Japan).
What is the status of transfers to the UK following Brexit?
Following the end of the Brexit transition period (on December, 31 2020), under the terms of the EU-UK Trade and Cooperation Agreement (agreed by the EU and the UK on December 24, 2020), personal data flows from the EU to the UK remain unrestricted and can continue on an interim basis without the implementation of additional safeguards. This position will last: (i) for an interim grace period of up to 4 months from 1 January 2021 (with an automatic extension for two further months unless either the UK or the EU objects); or (ii) until an adequacy decision is granted by the EC, whichever is earlier and provided the UK makes no substantive changes to its data protection laws. In turn, transfers of personal data from the EU to the UK are currently not restricted and subject to the adoption of the Draft Adequacy Decisions, will remain unrestricted going forward (unless subsequently revoked).
What do the Draft Adequacy Decisions address?
Focussing primarily on the Draft Adequacy Decision for transfers made under the EU GDPR (GDPR Draft Adequacy Decision) and similar to the assessment countries are required to carry out following Schrems II, the adoption of an adequacy decision by the EC must “be based on a comprehensive analysis of the third country’s legal order, covering both the rules applicable to the data importers and the limitations and safeguards as regards access to personal data by public authorities”. Indeed, the EC must determine whether the third country in question (i.e., the UK) guarantees a level of protection “essentially equivalent” to that provided in the EU. This does not require that the level of protection be identical. The “essential equivalence” standard is assessed against the requirements of the EU GDPR, case law (including Schrems II) and the EDPB’s Adequacy Referential (WP 254). For purposes of the GDPR Draft Adequacy Decision, the EC assessed (amongst other things) the following as it relates to the rules applying to the processing of personal data:
- The UK’s constitutional framework – including, the existence of the UK Human Rights Act 1998 which incorporates the rights contained in the European Convention on Human Rights.
- The UK’s data protection framework – in particular, the fact that the EU GDPR has been incorporated into UK law (UK GDPR) and as such, the UK’s legislative framework for data protection is closely aligned to that in the EU. This includes both the territorial and material scope of the UK GDPR, the definitions for key concepts under the UK GDPR (e.g., personal data), the data protection principles of the UK GDPR (e.g., fair and lawful processing), and the data protection rights afforded to individuals (for which a particularly detailed analysis of the exemptions to these rights is provided) – all of which are equivalent to those provided in the EU GDPR.
- Onward transfers of personal data from the UK – in particular, the fact that the same restrictions on international transfers of personal data under the EU GDPR are provided in the UK GDPR in turn, safeguarding the onward transfer of EU personal data from the UK to another third country (e.g., the US).
- Oversight and enforcement – the existence of the UK’s Information Commissioner’s Office (ICO) as an “independent supervisory authority tasked with powers to monitor and enforce compliance with the data protection rules” and the powers of enforcement granted to the ICO which are equivalent to those granted to EU data protection authorities under the EU GDPR. Interestingly, references to the number of cases investigated by the ICO (approximately 40,000 complaints from data subjects per year and 2,000 investigations) as well as the fines issued by the ICO under the EU GDPR, are both factors considered in the EC’s assessment.
- Redress – the requirement that individuals are provided with effective administrative and judicial redress, including compensation for damages. The EC here references the ability for a data subject to: (i) complain to (and about) the ICO, (ii) bring a claim against controllers and processors for material and non-material damages under the UK GDPR, and (iii) bring a claim in UK courts under the UK’s Human Rights Act 1998 and ultimately in the European Court of Human Rights.
The EC also assessed access and use by UK public authorities to EU personal data transferred to the UK in particular, for criminal law enforcement and national security purposes. In making this assessment the EC considered (amongst other things) whether UK laws demonstrate that the interference with data protection rights is necessary and proportionate with respect to the legitimate (public interest) objective pursued. The EC concluded in this regard that “through membership of the Council of Europe, adherence to the European Convention of Human Rights and submission to the jurisdiction of the European Court of Human Rights, the UK is subject to a number of obligations, enshrined in international law, that frame its system of government access on the basis of principles, safeguards and individual rights similar to those guaranteed under EU law and applicable to the Member States.” The EC further acknowledged the scope of the UK’s Data Protection Act 2018 which applies also to personal data processed by public authorities, including by law enforcement and national security bodies and which in turn, guarantees specific data protection safeguards and rights. A detailed analysis is then provided in relation to access for criminal law enforcement purposes and national security purposes (including, in relation to the exercise of bulk powers under the Investigatory Powers Act 2016).
What are the next steps?
The Draft Adequacy Decisions will now be reviewed by the European Data Protection Board (EDPB). The EC will take into account (but is not bound by) the EDPB’s Opinion. Following this, the Draft Adequacy Decisions will be submitted to a committee composed of representatives from all EU Member States to provide a formal opinion, usually in the form of a vote, on the Draft Adequacy Decisions. The EC is then able to adopt the Draft Adequacy Decisions.
It should be noted, however, that once adopted, the Draft Adequacy Decisions would be valid for four years. After four years, the adequacy finding may be renewed if the level of protection in the UK remains adequate. Further, it is possible that following adoption of the Draft Adequacy Decisions, applications for annulment will be lodged (within two months and 10 days of publication) by privacy activist groups. There may also be complaints made to data protection authorities in the EU and national courts that could threatened continued adequacy determinations. Ultimately when it comes to international transfers of personal data, entities with global footprints continue to live in uncertain times. But for the time being, the publication of these Draft Adequacy Decisions is likely to be welcome news for industry.