Privacy & Information Security Law Blog

On June 28, 2021, the European Commission (the “Commission”) adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (“GDPR”) and another under the Law Enforcement Directive. Their adoption means organizations in the EU can continue to transfer personal data to organizations in the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection. The adoption comes just before the conditional interim regime under the EU-UK Trade and Cooperation Agreement, under which data could flow freely from the EU to the UK, was set to expire on June 30, 2021.

Following the UK’s departure from the EU, the country has incorporated the GDPR into UK law, in the form of the UK GDPR. Accordingly, the UK’s data protection regime closely mirrors that of the EU, implementing the principles, rights and obligations of the GDPR. The Law Enforcement Directive had already been incorporated into the UK Data Protection Act 2018 (“DPA 2018”). Of note, the Commission excluded from the scope of the GDPR adequacy decision transfers made for the purposes of UK immigration control, to reflect a recent judgment of the UK Court of Appeal in R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800, which ruled that the immigration exemption in the DPA 2018 is unlawful. The Commission stated that it will reassess the need for this exclusion once the underlying position has been remedied under UK law.

Both adequacy decisions include a provision requiring an automatic review of the adequacy of the UK legal regime within four years. If, after that time, the adequacy of the UK has not been re-affirmed by the Commission, the adequacy decisions will lapse.  The Commission noted that it had considered the concerns raised by the European Parliament and the European Data Protection Board with respect to the draft form of the adequacy decisions issued in February 2021, and that it would continue to monitor any changes in the UK and intervene as required.

Věra Jourová, Vice-President for Values and Transparency, said: “We have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK's privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.” Didier Reynders, Commissioner for Justice, added: “The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed.”

Despite concerns over the level of access public authorities in the UK have to personal data, the Commission commented in its press release that the UK system provides for strong safeguards. The Commission highlighted that the collection of data by UK intelligence authorities is, in principle, subject to prior authorization by an independent judicial body, and that any access to data needs to be necessary and proportionate to the purpose pursued. Individuals also have the ability to seek redress in the UK Investigatory Powers Tribunal. The Commission further noted that the UK remains subject to the jurisdiction of various EU bodies and Conventions, including the European Court of Human Rights and Convention 108, the only binding international treaty in the Data Protection Field.