The European Commission and data adequacy: Putting its UK decisions in a global context

6 July 2021
The European Commission announced that the UK's data protection laws provide an adequate level of protection for personal data flowing from the EU to the UK. The decision is a welcome one for UK businesses, who could legally exchange data as if the UK were still part of the bloc until 30 June 2021.

The European Commission (EC) determine whether a third country — that is, a country outside the EU — provides an adequate level of data protection when receiving personal data from an EU member state. If a third country is deemed to have adequate protections, then personal data can legally move between that country and any EU member state (along with Norway, Liechtenstein and Iceland) without additional safeguards. The EC has so far determined that the following countries have adequate levels of data protection: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

Following the UK’s exit from the EU, transfers of personal data between the EU and UK were being conducted under the EU-UK Trade and Cooperation Agreement (TCA). The EC’s recent announcement about the UK’s data privacy adequacy came on 28 June, two days before the TCA expired.

Announcements on the UK’s data privacy adequacy

On 28 June 2021, the European Commission and the UK’s Department for Digital, Culture, Media & Sport separately published press releases announcing the EC’s decision on the UK’s data privacy adequacy. The announcements actually relate to two decisions, one under the EU’s General Data Protection Regulation (GDPR), the other under its Law Enforcement Directive, which governs data exchanges in the law enforcement sector.

The announcements are revealing in part for their differences. The UK press release emphasises the EC’s affirmation of the UK’s robust controls and the decisions’ positive ramifications for UK businesses. The decisions, the release says, “rightly [recognise] the country’s high data protection standards,” and “mean that UK businesses and organisations can continue to receive personal data from the EU and EEA without having to put additional arrangements in place with European counterparts.”

The UK release also reaffirms the country’s independence from EU directives, saying the UK “now operates a fully independent data policy.” It also takes a pro-business, pro-ESG stance, asserting that “the government’s approach will seek to minimise burdens on organisations seeking to use data to tackle some of the most pressing global issues, including climate change and the prevention of disease.”

The EC’s release, by contrast, emphasises that the recent decisions are temporary and subject to ongoing review and possible revocation. For the first time, the EC’s adequacy decisions include a “sunset clause,” meaning the UK’s adequate status will expire in four years, after which “the adequacy findings might be renewed” [Vistra’s emphasis]. Over the next four years, the EC “will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place.”

Transfers concerning UK immigration control are excluded from the scope of the adequacy decisions. A recent England and Wales Court of Appeal decision found that the immigration exemption is currently incompatible with UK law, as it does not contain certain provisions setting out the safeguards listed in Article 23(2) of the UK General Data Protection Regulation. The EC says it will revisit the issue “once the situation has been remedied under UK law.”

What the adequacy decisions mean for UK businesses, and putting them in a global context

The European Commission’s adequacy decisions mean that, in the vast majority of scenarios, UK-based businesses may continue to legally receive personal data from the EU without having to implement additional safeguards. Additional steps would almost certainly have been required if the TCA had expired without favourable adequacy decisions.

Third countries without an adequacy decision face significant challenges when receiving personal data from the EU. As mentioned, only a dozen countries in addition to the UK have EU data privacy adequacy. (Last month, the EC announced it has launched the process for adopting an adequacy decision for South Korea.) The US, Australia and China are among the major economies that do not currently have an adequacy decision in place from the EC.

The US is a notable case. Last July, the European Court of Justice struck down the EU-US Privacy Shield, an agreement that had previously allowed GDPR-compliant data flows from the EU to the US. The decision, known as the Schrems II case, essentially made the Privacy Shield unlawful because it did not protect data from US government surveillance. Some have speculated that the recent UK adequacy decisions could “set a template” for a Privacy Shield replacement, at least for transfers not subject to US government surveillance. If a replacement is agreed on, the UK may itself later replicate that. (Remember that the UK has pointed out it may modify its own data protection regulations, which could jeopardise its adequacy.)

Recommendations for EU businesses making data transfers to third countries

Last month, the European Data Protection Board (EDPB) released recommendations for making compliant data transfers from the EU to third countries. Referencing the Schrems II case, the recommendations put the onus on EU-based businesses.

The recommendations lay out six steps for data controllers and processors to ensure compliance when making transfers. Perhaps the most daunting is step three, which is to:

  • make an assessment of the laws of the third country where the data is being sent to determine if those laws might compromise safeguards; and
  • examine the practices of the third country’s public authorities to ensure that safeguards can provide adequate protection in practice.

All assessments should be done on a case-by-case basis and be thoroughly documented. Step three ends with a warning to businesses: “Your competent supervisory and/or judicial authorities may request [documentation] and hold you accountable for any decision you take on that basis.”

Needless to say, following the EDPB’s recommendations to the letter will be difficult and expensive for businesses in the EU and third countries. And given that assessments must be made about the often-opaque practices of national authorities, there will almost certainly be an element of legal risk whenever transferring data from the EU to a third country.

UK businesses can breathe a sigh of relief over the recent adequacy decisions. But as we know those decisions are temporary. And UK businesses may sooner or later find themselves in the unenviable position of having to legally obtain data from the EU without an adequacy agreement in place.

Paul Bicknell, Senior Associate, Solicitor, Vistra Corporate Law, contributed to this article.