2 minute read
Euan Temple - EU data protection adequacy decision
EU data protection adequacy decision, hurrah and just in time
British data protection standards are “adequate”, the EU has ruled in a long-awaited decision. On 28 June 2021, following the agreement of the EU Member States’ representatives, the European Commission adopted two Adequacy Decisions for the United Kingdom - one in relation to the General Data Protection Regulation (GDPR) Brussels, 28.6.2021 C(2021) 4800 final and the other in relation to the Law Enforcement Directive (LED).
Adequacy will allow the UK to benefit from continued unrestricted data flows between the UK and the European Economic Area. Broadly, this is the EU Member States plus UK, Norway and Iceland.
‘Adequacy’ means that GDPR-covered data subjects can be confident that their personal data will be protected if it is transferred to the UK. The two Adequacy Decisions will also facilitate the exchange of personal information in matters of judicial cooperation.
However, the Adequacy Decisions are not permanent and include strong safeguards - the UK’s Adequacy will expire after four years and will only be renewed if it satisfies ongoing scrutiny. Adequacy can also be revoked by the European Commission prior to expiration.
Failure to get a positive decision would have risked plunging British businesses into disarray, leaving industries (from banking to logistics) scrambling to set up more costly, bureaucratic alternatives to share data.
The above decisions were published just two days before the end of the Transitional Period provided for in the Trade and Cooperation Agreement. Its publication therefore prevents entities wishing to transfer data to the UK and/or the EU from needing to adopt additional mechanisms (such as Standard Contractual Clauses) to legitimise international transfers on a temporary basis, as was originally envisaged if Adequacy Decisions were not formalised during the Transition Period.
The key elements underpinning the Adequacy Decisions are:
*The UK’s data protection system continues to be based on the same rules that were applicable when the UK was part of the EU.
*The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
*Personal data accessed by public authorities in the UK (ie for national security reasons) is covered by strong safeguards, specifically:
a) the collection of data by intelligence authorities must be authorised in advance by an independent judicial body and any measure needs to be necessary and proportionate to what it intends to achieve; The Adequacy Decisions will expire automatically four years following effectiveness, after which the adequacy findings can be renewed if the European Commission determines that the UK continues to ensure an adequate level of data protection;
During the four-year adequacy period, the European Commission will monitor the UK and can intervene at any point if the UK deviates from the level of protection currently in place; and
If the European Commission decides to renew the UK’s adequacy, the adoption process must start again.
b) any person believing they been the subject of unlawful surveillance may bring an action before the
Investigatory Powers Tribunal; and
c) the UK is subject to the jurisdiction of the European Court of Human
Rights and must adhere to the
European Convention of Human
Rights and the Council of Europe
Convention for the Protection of Individuals with regard to
Automatic Processing of
Personal Data, the only binding international treaty in the area of data protection (these international commitments are key aspects of the UK’s Adequacy Decisions);
Article by Euan Temple
