Understanding UK-EU data flows, what does data adequacy mean?
Under Article 45 of the General Data Protection Regulation (GDPR), the European Commission has the power to determine whether a third-country offers an adequate level of data protection to that in the EU.
The adoption of an adequacy decision is broken down into four main steps. These include:
- a proposal from the European Commission
- an opinion of the European Data Protection Board (EDPB)
- an approval from representatives of EU countries
- the adoption of the decision by the European Commission
The adequacy decisions are subject to review and the European Commission may be requested by the European Parliament and the Council to maintain, amend or withdraw the adequacy decision at any time.
The EU-UK adequacy process timeline
On 19 February 2021, the European Commission provisionally greenlighted the adoption of two adequacy decisions for transfers of personal data to the UK. This followed a thorough technical assessment by the Commission which found the UK’s data protection regime as providing an equivalent level of protection to the GDPR and the Law Enforcement Directive (LED).
The decisions were scrutinised by the EDPB which published its opinions on the Commission's assessment on 14 April. An analysis of the EDPB opinion can be found below.
The bridging mechanism, as agreed under the Trade and Cooperation Agreement, allowed for the unrestricted transfers of personal data from the EEA to the UK until 1 May 2021. However, the deadline was extended to 1 July 2021 upon agreement from both sides, until the final UK data adequacy decision was formally adopted.
The European Parliament passed a resolution on 21 May asking the Commission to modify its draft decisions on whether or not UK data protection is adequate, considering that UK bulk access practices, onward transfers and its international agreements need to be clarified further. The European Parliament however does not have a formal role in the ratification process.
The decision progressed to comitology and was unanimously adopted by the 27 Member States in the European Council on 16 June, before a final decision was taken by the European Commission on 28 June adopting the two adequacy decisions for the UK. The decisions were adopted just in time before the end of the bridging period on 30 June.
With the decisions formally adopted, UK and EU businesses will not be required to put in place an additional legal basis, such as Standard Contractual Clauses (SCCs), to transfer personal data between the UK and the European Economic Area (EEA), allowing data to flow as long as UK and EEA businesses are observing their respective data protection frameworks.
However, the European Commission will continue to monitor developments in the UK data protection regime very closely, and holds the power to amend, repeal or suspend the decisions if required. The decisions also include a ‘sunset clause’, meaning that the decisions will automatically expire four years after their entry into force and will be reviewed before being renewed.
What did the European Commission's draft impelmenting decision contain?
The European Commission’s draft implementing decision recognised that the structure and main components of the UK legal framework applying to data is very similar to the one applying to the EU. This is not only based on the UK’s domestic law which has been shaped by EU law but also stemming from the UK’s obligations enshrined in international law such as the European Convention on Human Rights and Convention 108.
The data adequacy standard does not require finding an identical level of protection or a point-to-point replication of EU law, in this case the GDPR. The litmus test lies in the ability of third countries to demonstrate a similar level of data protection to the EU through their own system, not just through their effective implementation, but also supervision and enforcement through Data Protection Authorities (DPAs) - which the European Commission has concluded that the UK’s data protection system does so.
Crucially, however, the draft decision notes that, unlike other partners, UK begins from a position of convergence, but has expressed a desire to make changes to its data protection regime. As a result, the UK’s adequacy decision is not focused on ensuring that the UK implements a series of actions to bring its data protection laws more in line with the EU’s over a period of time.
Rather, the Commission’s decision was designed to manage the UK’s divergence from European data protection law, pathways within the conclusions that could trigger a review and potential termination of the agreement.
These include:
- The European Commission will monitor, on an ongoing basis, any relevant policy changes to data protection rules in the UK that may reduce the level of data protection offered.
- The European Commission may repeal, partially or completely suspend, or amend the adequacy decision based on:
- the process of resolving a complaint from a Member State DPAs who will report to the European Commission any concerns they have or where they find the UK is not offering an equivalent level of protection.
- Any material changes to the UK’s international commitments, specifically its membership of and subjection to the European Convention of Human Rights and its Court (even though this commitment is enshrined in the EU-UK Trade and Cooperation Agreement).
- The adequacy decision will be reviewed after four years after the date it enters into force and the European Commission will initiate the procedure to amend or extend this decision at least six months before this date. This ‘break’ could be the point where the Commission seeks to lay down more conditions and restrictions for the UK under this framework, to avoid more divergence.
What did the EDPB opinion state?
During its 48th plenary session on the 14 April , the European Data Protection Board (EDPB) adopted two opinions on the European Commission draft Implementing Decisions, published on 19 February, on the adequate protection of personal data in the UK.
The EDPB broadly welcomes the Commission’s draft decision to grant UK data adequacy, finding many aspects of the UK data protection framework to be “essentially equivalent” to the safeguards under the GDPR. These include:
- concepts (e.g. “personal data”; “processing of personal data”; “data controller”);
- grounds for lawful and fair processing for legitimate purposes;
- purpose limitation;
- data quality and proportionality;
- data retention, security and confidentiality;
- transparency; special categories of data;
- direct marketing;
- automated decision making and profiling.
The EDPB even goes a step further to state that UK data protection law includes principles that go beyond than what is required for a country to be granted adequacy by the EU; therefore, elevating the level of protection provided for in the UK.
While the EDPB does not expect the UK legal framework to replicate European data protection law, as a former Member State, there is significant mirroring of EU law in the UK GDPR and the DPA 2018 (aka. the UK data protection framework). Such content principles include the ones related to personal data breach notifications, the data protection officer, data protection impact assessments and data protection by design and by default.
However, despite finding “strong alignment” between the GDPR and the UK data protection framework, the EDPB’s tone is hesitant and cautious, urging the Commission to subject the UK’s framework to more detailed scrutiny with regards to:
- The UK’s intention to develop separate and independent policies in data protection, which may lead to significant divergence from EU data protection law.
- Safeguards of personal data under the “broadly formulated” immigration exemption.
- Onward transfers of personal data to other jurisdictions outside of the EEA.
- The interplay between the UK data protection framework and its international commitments, such as the UK-US Cloud Act Agreement, or other information sharing agreements which are inaccessible by the public such as the UK-US Communication Intelligence Agreement.
- The effectiveness of the UK’s practice on procedural and enforcement mechanisms through the Information Commissioner’s Office.
- Access by public authorities to data transferred to the UK under national security and surveillance laws.
Aside from calling on the Commission to keep a close eye on developments in the UK that may affect the level of protection of personal data, the EDPB consistently reminds the Commission of the powers it has at its disposal to suspend, amend or even repeal the adequacy decision. The EDPB has also welcomed the Commission’s decision to introduce a sunset clause of four years for the draft decision. This would be the first EU adequacy decision to include a sunset clause where adequacy is not renewed without a reassessment.
Overall, the European Commission’s decision and the EDPB's opinion for the UK were very positive and warmly welcomed by both the EU and UK tech sectors which have been making clear the importance of a mutual data adequacy agreement since the Brexit referendum.
Read DIGITALEUROPE's position paper on the EU-UK adequacy decision which techUK contributed to.
Neil Ross
As Associate Director for Policy Neil leads on techUK's public policy work in the UK. In this role he regularly engages with UK and Devolved Government Ministers, senior civil servants and members of the UK’s Parliaments aiming to make the UK the best place to start, scale and develop a tech business.
