By Andrew Scott
CIPP/US, CIPP/E, CIPM
On January 20, 2020, the United Kingdom (U.K.) announced it would be leaving the European Union (EU). For the purposes of data protection law, the U.K.’s exit from the EU signaled it would be undergoing a change in its status under the General Data Protection Regulation (GDPR or the Regulation) from a member state to a ‘third country’ (i.e., outside the EU). This means EU member states must comply with Chapter V of the GDPR in relation to any transfers from the EU to the UK.
On December 24, 2020, the EU and the U.K. agreed to the EU-UK Trade and Cooperation Agreement (TCA). The TCA has allowed time for the European Commission (the Commission) to determine (on the basis of the ‘adequacy’ of the U.K.’s digital trade regime. Pursuant to Article 45 of the Regulation, The Commission has the power to determine whether a country outside the EU offers an adequate level of data protection.
In assessing the level of data protection in third countries, the Commission seeks to ensure there is an essential equivalence with the EU legal framework. Based, in part, on both the transparency and security principles, the question is, essentially: is the country to which you’re transferring personal data likely equivalent in terms of privacy protections?
On February 19, 2021, the Commission announced two draft ‘adequacy decisions’ that would allow the free flow of data to continue from the EU to the UK. One decision has come under the Regulation (2016/679) and the other for the Law Enforcement Directive (2016/680), which deals with the processing of personal data for law enforcement purposes. If approved, the decisions would grant adequacy status to the U.K., ensuring EU personal data can continue to flow freely to the U.K.
Many are breathing a sigh of relief as the draft decisions likely foreshadow that the official adequacy decisions will be adopted soon. Members of both the EU and UK community have shown optimism, excitement, and support for the drafts:
- “The draft adequacy decisions are an important milestone in securing the continued frictionless data transfers from the EU to the UK.” – Elizabeth Denham, UK Information Commissioner
- “EU citizens’ fundamental right to data protection must never be compromised when personal data travel across the Channel. The adequacy decisions, once adopted, would ensure just that.” – Didier Reynders, Commissioner for Justice
- “The UK has left the EU, but not the European privacy family.. . . This is why we included clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development of the UK system after the adequacy would be granted.” – Věra Jourová, Vice-President for Values and Transparency
A Response to Schrems II?
The draft adequacy decisions are the first and only adequacy decisions since the Schrems II ruling of the Court of Justice of the European Union (CJEU), which invalidated the Privacy Shield and led the European Data Protection Board (EDPB) to prepare its recommendation.
Schrems II is not mentioned specifically in either draft decision. The first decision, however, is a robust 87 pages, and it is replete with references to the U.K.’s legal framework and practice, oversight mechanisms, and redress mechanisms having to do with Schrems II. Perhaps this is the Commission’s recognitions of the vigilance needed in a post-Schrems II era.
The First Law Enforcement Draft Adequacy Decision
The second draft adequacy decision is significant because it is the first time the Commission has proposed a draft adequacy decision in the law enforcement context. At 50 pages, this draft adequacy decision would help the U.K. continue to exchange information with member states across the EU to fight crime and terrorism.
What is Future Proof?
If adopted, the draft decisions would be valid for a period of four years. At that time, the Commission could renew the adequacy findings as long as the level of protection in the UK continues to be adequate. The renewal is not automatic, which might be the Commission’s way of keeping the U.K.’s data protection from diverting from the GDPR.
Essentially, the Commission has created an expiration date on these draft adequacy decisions. This is unprecedented because no prior adequacy decision has an expiration date, they just need to be “reviewed.” In its news release, the Commission justified the limited duration decision by pointing out it wants to ensure the decisions are “future proof” now that the U.K. is no longer bound by the EU privacy rules and can set its own course.
Perhaps the expiration date is partially in response to a concern about onward transfers. Recitals 75 through 82 describe provisions on onward transfers. Some have wondered whether the U.K. might become a backdoor for personal data to go to third countries that lack adequacy decisions, for example, the U.S. Onward transfers to a third country without an adequacy decision could jeopardize the U.K.’s adequacy status and put at risk the rights of EU citizens.
What Must Happen Before the Adequacy Decisions are be Adopted?
The U.K. does not have to do anything else. The publication of the draft decisions is the beginning of a process towards their adoption. First, EDPB will provide a non-binding opinion on the findings. Then, the Commission will request approval from member states representatives under the comitology procedure before adopting the final adequacy decisions for the UK. This process will have to move quickly as the extension under the TCA expires Aprils 30, 2021, but if need be, can be extended to June 30, 2021.
What Happens if there is No Adequacy Finding?
The U.K. will be considered a third country under the GDPR. Like the U.S., the U.K. will have to use appropriate safeguards to transfer data to E.U. member states. Safeguards are mechanisms the company can adopt to protect personal data and facilitate ongoing and systematic cross-border personal data transfers. The GDPR expressly provides for appropriate safeguards that may be used: Binding Corporate Rules (Articles 46(b), 47); Standard Contractual Clauses (Article 46(c)); Model Contracts (Recital 109); Approved Codes of Conduct (Article 40); Certification Mechanisms (Article 42); Ad Hoc Contractual Clauses Authorized by Supervisory Authorities; or certain derogations (if none of these mechanisms work).
What Does This Mean for the U.S.?
The U.K.’s current data protection regime (the so-called “UK GDPR” and the Data Protection Act 2018) is aligned with the GDPR. Given the favorable determination the Commission has bestowed on it in the draft adequacy decisions, the U.K. has every incentive not to engage in data transfers with any third party country that would jeopardize its potential adequacy status. And, if the U.K. receives an adequacy decision, it will still have every incentive not to engage in data transfers that could jeopardize its adequacy status because, as it appears, the U.K.’s adequacy decision would expire after four years with no guarantees of renewal if the Commissioned determined the country’s data protection regime was no longer in alignment.
While there was once talk of the U.K. leaving the EU and aligning its data privacy regime more with the U.S., it would seem that talk has ceased. It is clear that the U.K. intends to keep its data privacy regime aligned with the EU’s GDPR. Until further notice, U.S. businesses should expect to continue to conduct data transfers with the U.K. as if it were still a member of the EU, meaning mostly more of the same: appropriate safeguard mechanisms and derogations.