Path paved for EU-UK adequacy decisions

What's the issue?

Following the end of the Brexit transition period, the UK became a third country for the purposes of personal data exports from the EEA to the UK.  Similarly, as the UK made provision for the GDPR to become the UK GDPR, the EEA countries became third countries for the purposes of transfers from the UK to the EEA.  

Transfers to third countries cannot happen freely unless those countries benefit from an EC adequacy decision.  Instead, they require additional protection using an authorised transfer mechanism such as Standard Contractual Clauses or Binding Corporate rules. 

The UK had made provision for personal data to continue to flow freely to the EEA and all countries benefitting from an EC adequacy decision.  This left an issue with data flows from the EEA to the UK.  Under the Trade and Cooperation Agreement (TCA), a temporary data bridge of up to six months was agreed to allow EEA-UK data flows to continue uninterrupted and without a need for further protections.

The data bridge was agreed on the basis that the EC was in the process of considering whether or not to grant the UK an adequacy agreement which would allow the continued free flow of personal data without any need for additional steps. 

What's the development?

The EC has published draft adequacy decisions for the transfer of personal data to the UK, one under the GDPR and the other under the Law Enforcement Directive.  Once adopted, they will allow personal data to be transferred from the EU and EEA countries to the UK without the need for additional protections (like Standard Contractual Clauses or Binding Corporate Rules).

The EC finds that the UK ensures an essentially equivalent level of protection to the one guaranteed under both the GDPR and the LED.  This includes with regard to the UK's rules on access to personal data by public authorities for law enforcement purposes, which was the area expected to cause potential problems with granting the UK adequacy.  

The draft decisions will now be scrutinised by the EDPB (whose opinion the Commission must take into account), and the Commission then needs to request the 'green light' from Member States' representatives under the comitology procedure. The European Parliament and Council can also ask to scrutinise the decisions and request the EC to maintain, amend or withdraw them. The UK government has urged the EU to complete the adoption process swiftly. In the meantime, the data bridge will apply.

What does this mean for you?

Those expecting the adequacy decisions to contain special terms and conditions, sectoral carve-outs, or detail on steps to give effect to the Schrems II ruling, will be disappointed. The Commission does, however, identify the UK remaining party to the European Convention on Human Rights and to Convention 108 of the Council of Europe as being "of particular importance for the stability and durability of the proposed adequacy findings".

Given the doubts expressed in some EU quarters about the extent of UK government access to personal data for national security and law enforcement purposes, particularly in the wake of the Schrems II decision, the lack of caveats to the draft decisions will come as a relief to business.  

It is possible there will be pushback during the next steps which could see the decisions revised or amended before adoption, but it is also clear that there is considerable political will to push them through.  

At the moment, the UK GDPR mirrors the EU GDPR, but the EC is clearly warning the UK that there will be consequences if the regimes start to diverge significantly.

Once adopted, the adequacy decisions will last for four years.  Protection for the EU comes from the fact that the EC will monitor relevant UK developments including actions taken by Member State data protection authorities in response to complaints about the treatment of EU data by the UK. The adequacy decisions could be withdrawn or amended if the Commission finds the situation has changed. 

It is not impossible that, like the Privacy Shield decision, the UK adequacy decisions could be challenged in the courts after adoption, although given the time it's taken for the Schrems litigation to play out (a process not yet complete), this would be unlikely to have an impact in the short to medium term.

For now though, this is great news for organisations relying on the free flow of personal data between the EEA and UK. The adoption of the EC-UK adequacy decisions should provide the crucial final piece of the post-Brexit data transfer puzzle.