The UK adequacy decision for European data transfers

06 July 2021

In all the excitement over the temporary truce recently reached with the EU over the Northern Ireland sausage war, you may have missed an even more momentous announcement on 28 June.

This was the publication by the European Commission of its “Adequacy Decision” in relation to the UK’s system of data protection law.

As you may recall, before the end of the Brexit transitional period at the end of last year, in common with the 27 EU Member States, data protection in the UK was governed by the EU General Data Protection Regulation (“GDPR”).

In theory, that situation ended at 11 pm on 31st December last year.

 

Why was this an issue?

Well, because the GDPR – with some exceptions – prohibits the transfer of data from within the EU to a “third country” (which, since 1st January this year, has included the UK) unless either:

(i) that third country has an “adequate” system of data protection law (in the EU’s opinion); or

(ii) suitable safeguards have been put in place to protect the personal data being transferred. 

Such “suitable safeguards” will typically involve entering into specific data transfer agreements using standard contractual clauses issued by the European Commission, which can be time-consuming and expensive to put in place.

In theory, that would have meant that a manager in a company based in, say, Edinburgh that wished to view sales figures from its office in Amsterdam would have needed to put in place “suitable safeguards” – otherwise, the data transfer would have been unlawful and could have attracted fines of up to the higher of €20,000,000 or 4% of its group turnover.

To avoid such a cliff edge scenario, the UK and the EU agreed a last-minute six-month extension of the transitional period to give time for the Commission to complete its review of the UK data protection system.  This has allowed the data to keep flowing over the last six months.

The good news is that, as of last Monday, such “suitable safeguards” will no longer be necessary for transfers between the EU and UK since the EU has found that the UK’s system of data protection law, which is now contained within the Data Protection Act 2018, is up to the job.

Since the Data Protection Act 2018 essentially imports the GDPR lock, stock and barrel into UK law, it would have been surprising if the EU hadn’t given it the thumbs up, but all the same, this is good news.

 

However, there are a few wrinkles.

First… picking up on a recent case before the Court of Appeal, the adequacy decision does not apply to personal data transferred from the EU to the UK for the purposes of immigration enforcement, so any company facing an official request for data relating to a staff member which originates in the EU will have to think carefully (and take legal advice) about complying.

Secondly… the EU has made it clear that it has its eyes fixed firmly on the UK and that the Adequacy Decision can be revoked if the UK shows signs of rowing back from the legal protections currently in place here.  This includes continued compliance, not only with data protection law, but also with the European Convention on Human Rights and submission to the jurisdiction of the European Court of Human Rights.

This, of course, will be Kryptonite to those such as the Task Force on Innovation, Growth and Regulatory Reform (“TIGRR”) – which five-year-old thought that one up? – headed by Iain Duncan Smith MP, which in a recent report to the Prime Minister, argued that the existing system of data protection law was unfit for purpose in the age of Artificial Intelligence and should be relaxed.

That is clearly not going to happen any time soon so, in the meantime, companies should continue to abide by their obligations under data protection law.

A final point, however.

Despite the Adequacy Decision, the UK remains a “third country” as far as the EU is concerned.  That means that companies which process the personal data of individuals in the EU but do not have a physical presence there need to appoint a representative in the EU (a so-called “Article 27 Representative”).

360 Business Law provides such a service on behalf of its clients via our EU-based operations. We also provide the equivalent service in the UK for EU-based customers that do not have a physical presence here.

Duncan Gillespie – Corporate and Commercial Solicitor

Copyright © 2020 360 Business & Private Client Law Limited. All rights reserved.