On 19 February 2021, the European Commission published two draft data adequacy decisions which found that the UK’s data protection standards are ‘essentially equivalent’ to those within the European Union. The decisions, if approved, will allow for free flow of data between the EU and the UK. Data flows from the UK to the EU are governed by the UK law and the UK has declared the EU ‘adequate.’
The publication of the draft decisions started the process of official approval within the EU. The decisions are now being examined by the European Data Protection Board (EDPB) which is going to issue an opinion. The decisions will then be examined by the representatives of the member states. Finally, the College of Commissioners will give its approval.
Although there is no official timetable for this process, during the European Parliament’s Civil Liberties (LIBE) committee meeting on 16 March, Commissioner Reynders indicated that the EDPB opinion is expected in mid-April, and the approval process may conclude by the end of May or early June.
Following the UK’s withdrawal from the EU on 31 January 2020 and the end of the transition period on 31 December 2020, the question of data flows between the EU and the UK became crucial. This is because the General Data Protection Regulation (GDPR) places restrictions on the transfer of personal data outside the European Economic Area (EEA).
Under the GDPR, there are two possibilities for data transfers to occur between the EU and third countries in line with the GDPR: transfers with and transfers without a data adequacy decision.
Articles 45(3), GDPR and Article 36(3) of the Law Enforcement Directive (LED) grant the Commission the power to make decisions on a third-country’s data adequacy. The adequacy decision is adopted by the European Commission, after obtaining an opinion from the European Data Protection Board (EDPB) and agreement of the member states. There are currently 12 adequacy decisions covering countries such as New Zealand, Canada and Switzerland.
To achieve the standard of EU data adequacy, the Commission carries out a detailed examination of a country’s data protection laws in accordance with the criteria set out in the GDPR. These include among others the rule of law, existence of an independent supervisory authority with responsibility for ensuring and enforcing compliance with the data protection rules, and the third country’s international commitments and conventions, especially in the field of personal data.
The Commission followed the same approach with the UK albeit to tighter timescales relating to the end of the transition period on 31 December 2020. On 24 December 2020, the EU and UK signed the Trade and Cooperation Agreement (TCA) which now regulates the new relationship between them.
Since the process of examining and approving the decisions was not completed before the end of the transition period, the UK-EU TCA envisages a bridging mechanism for data flows. Under the mechanism, the UK is not treated as a third country for the purposes of data transfers from the EEA. The mechanism is valid until the end of April, or, if neither side objects, until the end of June.
However, if the decisions are adopted, there are two remaining concerns. First of all, as the UK has now left the EU, it will have its own regulatory regime governing data protection. It therefore remains to be seen to what extent it will continue to stay aligned to European data protection standards. The adequacy decisions are to be reviewed every four years and the Commission will thus continue to monitor the developments in the UK’s data protection legislation. Secondly, the decisions remain open to legal challenge, similarly to the case of invalidation of the EU-US Privacy Shield. For some, the main issue of concern are the broad investigatory powers of the UK authorities and their compatibility with the EU data protection laws and settled case law of the Court of Justice of the EU (CJEU).