Brexit & Data Protection – EU Adequacy Decision granted

The UK has finally been granted an “adequacy decision” by the EU on 28^th June 2021, and in this article, we will explain what this is and why it matters. We will also consider what steps might need to be taken when transferring data to countries which have not been deemed to provide robust enough protection of data.

What is it?

When the UK’s transition period for leaving the European Union ended on 31^st December 2020, an extension was granted to the UK in respect of Data Protection. This has meant that few, if any, changes have had to be introduced to continue sending and receiving data to and from the EU and EEA (European Economic Area, which includes Iceland, Lichtenstein, and Norway). This was agreed to allow more time for the EU to decide whether to grant the UK an adequacy decision and it was due to come to an end on 30^th June 2021.

Adequacy decision = “Adequacy” is a term that the EU uses to describe other countries, territories, sectors, or international organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU. The equivalent term in the UK is adequacy regulation.

Why does it matter?

Without an adequacy decision, the UK would have been regarded by the EU as a third country, meaning strict restrictions on transfers of personal data between the UK and the EU. While there are ways around such restrictions, it would have meant additional time and resources spent on putting in place – and maintaining – adequate safeguards (more on these further down).

It is worth mentioning that the UK had already committed to allowing data to continue flowing freely to the EU – but of course ensuring data can also flow to the UK from the EU is essential, so we have been waiting to understand how data would be able to do just that in the future. Without an adequacy decision, adequate safeguards would have had to be put in place in order to transfer personal data from, say, a parent to subsidiary company.

The EU adequacy decision granted on 28^th June means that the UK has been deemed a nation which offers an equivalent level of protection for personal data to the one guaranteed under EU law. As such, transfers to the UK from the EU are not restricted transfers and no additional “adequate safeguards” are required. To be clear, this is great news and will help companies looking to expand to the UK.

Is this forever, then?

No. The current decision is expected to last until 27^th June 2025, after which the EU may choose to extend the decision for a further period of up to a maximum of another four years.

Possible developments in the UK will be monitored on an ongoing basis by the EU to ensure the UK continues to provide an equivalent level of data protection. Additionally, both EU data subjects and the various EU data protection authorities can initiate legal challenges to adequacy decisions, with the Court of Justice of the European Union ultimately having to decide whether the UK does provide equivalent protection. This means that, theoretically, the adequacy decision could be withdrawn during the coming four years.

Companies which process data in the UK and/or the EU will now have to ensure they do so in compliance with both EU GDPR and UK GDPR (in addition to the Data Protection Act 2018). The latter, for now at least, essentially mirrors EU GDPR, but the UK has retained the right to amend this law in the future. Future deviations away from the EU approach to data protection may mean that the EU withdraws its decision, or prompt EU data subjects or regulatory authorities to bring legal challenges to it.

So what are adequate safeguards when dealing with countries outside the EU/EEA and which have not been deemed to offer adequate protection?

As mentioned above, there are ways to make a restricted international transfer, but these are subject to strict rules and can also be amended or withdrawn, so it is important to keep an eye on decisions or changes made by EU (or indeed the UK).

Consent – a valid consent must be both specific and informed, so the individual must be provided with precise details about the restricted transfer. Consent will not be valid if it is obtained for restricted transfers in general. In order for consent to be considered valid, the data subject(s) must be given detailed information about the transfer (including who it will go to, and the possible risks involved in making the transfer).

Binding Corporate Rules (BCR) – often favoured by multinational corporations and groups of companies, these need to be drafted and then approved by the Information Commissioner’s Office (ICO). Any existing EU BCRs now need to be transitioned to UK BCR, meaning they have to be approved again by the ICO.

Standard Contractual Clauses (SCCs) – Arguably the easiest option out there, the EU has recently approved a “modernised” version of these contractual clauses, and this new version should be published shortly. SCCs are essentially a set of contractual clauses, drafted and maintained by the EU (and now also the UK), which aim to regulate the way in which data transferred to third countries is processed and protected. Organisations are free to include the SCCs in a wider contract, and to add other clauses or additional safeguards but they must not contradict, either directly or indirectly, the SCCs or prejudice the fundamental rights or freedoms of data subjects. In cases where the SCCs are in any way edited or modified by an organisation, that organisation is no longer relying on approved SCCs and they need to seek authorisation from a supervisory authority in order to rely on them.

Questions? Please do not hesitate to reach out to Goodwille’s Governance team at evy.rune@goodwille.com, who will be delighted to help.