The importance of Adequacy
The EU Commission on 19th February 2021 published a draft adequacy decision in favour of the United Kingdom. This is good news and whilst not a final decision is bodes well for UK businesses who trade in the EU.
Following the UK’s exit from the European Union and the end of the transition period on 31st December 2020, the UK became a Third Country in terms of our relationship with the EU. In respect of data protection this means that transfers of personal data from the EU to the UK can only take place under certain circumstances, to ensure sufficient safeguards are in place to protect EU data subjects. These safeguards must be put in place by any UK company that offers goods or services, or monitors the activity of EU citizens. Broadly speaking the main safeguards are:
Standard Contractual Clauses (SCCs) (most commonly used)
Binding Corporate Rules (BCRs) (for large corporates)
Derogations under Article 49 of the GDPR (rarely used)
An adequacy decision by the EU Commission
Most of the above safeguards involve a lot of paperwork, often legal fees and following a recent CJEU court case, the use of SCCs (the most common and likely route for most companies) entail additional actions including risk assessments on a “case-by-case” basis etc. A Third Country that received an adequacy decision however, is free to transfer data unhindered by red tape.
Currently only 12 countries have been given adequacy decisions. In order to reach an adequacy decision the Commission, in collaboration with other EU bodies, assess the data protection laws of the importing country and pay particular attention to the degree and ease of access by government to personal data. The recent demise of US Privacy Shield in the Schrems 2 case, and the absence of any adequacy decision in favour of the US, is largely down to the degree of access that US intelligence agencies have to personal data of non-US citizens. Additionally, at present there is no federal data protection legislation spanning the whole US.
So, why have the EU decided to offer the UK adequacy?
Current European data protection legislation has its roots very largely in the European Convention on Human Rights. The Commission appears to be favouring UK 'adequacy' (which requires "essential equivalence" with the EU in the protection of personal data) based to a large extent on the U.K.'s ratification of that Convention which guarantees the "right to a private and family life" including data protection. But importantly the Commission also accepts that government access to personal data is only permitted under specific circumstances, mainly around public safety/security. This is detailed in the Convention but the U.K. Human Rights Act 1998 dictates that any public authority action must be consistent with the Convention to which the U.K. has signed up. I think the apparent acceptance of this point by the Commission is key, because one of the reasons adequacy was in possible doubt was EU concerns over potential government access to data.
Another key factor in this decision was the fact that the UK, having been bound by the GDPR as members of the EU, have now, through the European Withdrawal Act 2018 and the ‘easy for you to say’ Data Protection, Privacy & Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, brought the GDPR into UK law as the UK GDPR, this being supplemented by the Data Protection Act 2018. This means that it would be difficult for the Commission to argue that the UK does not have “essentially equivalent” data protection rules to those of the EU.
New data protection laws appear to be sweeping the globe, and the US is currently discussing possible implementation of federal legislation. I would anticipate more adequacy decisions in coming years, especially as the free flow of data is so fundamental to international commerce.
We are not out of the woods yet but this is certainly a positive step and we await final adoption with baited breath because it will be a huge relief to many businesses. In the meantime the EU has given the UK a grace period potentially until June, by which time I hope we will have a final decision.
It is worth pointing out however, that even in the case of adequacy, UK businesses offering goods or services to or monitoring the behaviour of individuals in the EU/EEA, who do not have an establishment within the EU/EEA, must be aware that they will almost certainly need to appoint a representative in the EU/EEA. This is a service we can offer so if you are affected by this please contact us for details.
Nick Richards CIPP/E CIPM
Comments