What Do The European Commission ‘Adequacy Decisions’ Mean?
To the great relief of many, the European Commission (the “Commission”) has finally approved adequacy decisions in favour of the UK. One of the decisions relates to the EU GDPR and the other to the EU’s Law Enforcement Directive.
The adequacy decision which will have the most impact on UK businesses and other organisations is the one which relates to the EU GDPR (the “Adequacy Decision’). In this article, we look at why the Adequacy Decision is so important and some of the bumps in the road which may still lie ahead.
Why Is The Adequacy Decision Important?
The Adequacy Decision is significant because it means that EU businesses and organisations will be able to continue to transfer personal data to the UK (including, granting a UK entity access to personal data stored in the EU) without having to put in place appropriate safeguards (such as EU approved standard contractual clauses for the international transfer of personal data (‘SCCs’)). Combined with the provisional adequacy decision which has already been made by the UK government in relation to the EU, the overall result is that personal data will be able to flow freely between the UK and the EU for some time to come.
What Was The Position At The End Of The UK/EU Transition Period?
After the end of the transition period on 31st December of last year, transfers of personal data from the EU to the UK became ‘restricted transfers’ under the EU GDPR. This meant that such transfers were prohibited unless the parties concerned implemented one of the ‘appropriate safeguards’ available under the EU GDPR or were able to rely on a derogation (such as the explicit consent of the data subject).
However, as part of the EU and UK Trade and Co-Operation agreement, a temporary ‘data bridge’ was put in place which enabled personal data to continue to flow from the EU to the UK until 30th June 2021. The purpose of the data bridge was to give the EU time to review the adequacy of the UK data protection regime, hopefully leading to a decision of adequacy in favour of the UK (as is now the case).
The Adequacy Decision is particularly welcome as a result of the impact of the judgment of the Court of Justice of the European (‘CJEU’) in Schrems II this time last year and subsequent guidance issued by the European Data Protection Board (‘EDPB’), which has just been finalised.
The combined effect of these is that, where the parties to a transaction wish to transfer personal data from the EU to a ‘non-adequate country’ and intend to rely on appropriate safeguards to do so, they need to undertake an in-depth ‘transfer risk assessment’ to determine whether anything in the laws or practices of the recipient country potentially undermine the level of protection which would otherwise be ensured by the implementation of the chosen appropriate safeguard.
If the laws or practices of the recipient country are found to be problematic, the parties are required to consider whether the implementation of technical, contractual and organisational supplementary measures will ensure an adequate level of protection for the transferred personal data. If not, the transfer must not go ahead.
Since the Schrems II judgment, the Commission has introduced a new version of the SCCs which reflect the increased compliance burden resulting from Schrems II. As stated above, the EDPB has also produced final guidance on supplementary measures. Both these documents suggest that the transfer risk assessment can be more subjective than originally thought (i.e. there is more focus on the risks to the personal data in practice, rather than theoretical risks).
Potential Bumps In The Road Ahead
The Adequacy Decision does not, however, provide the UK with any cast iron guarantees. There are a couple of important caveats to it:
- Firstly, the Commission has stated that it will continue to monitor the data protection framework in the UK and the Commission has the power under the Adequacy Decision to repeal, suspend or amend it at any time if it believes that the UK data protection regime no longer provides an adequate level of protection for personal data. Tensions may arise in this regard if the UK government takes steps to towards implementing its response to the National Data Strategy (the latter was published last September and the government’s response followed in May of this year).
- Secondly, the Adequacy Decision includes a ‘Sunset clause’. The effect of this is that the Adequacy Decision will automatically expire after 4 years unless the Commission renews it. This type of clause is not generally included in adequacy decisions and it will present the UK government with challenges if it attempts to deviate too much from the obligations and protections enshrined in the EU GDPR.
Also, there is always the possibility of a Schrems II type challenge being made in relation to the Adequacy Decision. If this happens, its validity would need to be examined by the CJEU.
For now, at least, data transfers between the UK and EU are free from restriction (other, of course, than the need for general compliance with UK GDPR and EU GDPR requirements).
However, businesses and other organisations will still need to grapple with the impact of the decision in Schrems II whenever they are transferring personal data outside the EU.
If you have any queries in relation to the issues covered in this article or data protection in general, then please get in touch with a member of the Geldards’ Information Law Team.