UK Adequacy Decision Drafted

Post-Brexit EU-UK Adequacy Decision Has Been Drafted

Before you can transmit personal data from a European Union country to a country not within the EU or the European Economic Area—known as a third country—there has to be an adequacy decision made by the European Commission. The third country must have a framework in place that both provides data protection and upholds the rights of the data subjects as well as—or better than—the EU’s General Data Protection Regulation.

Since the UK’s departure from the EU in January of 2021, the UK is a third country. According to the European Commission, the UK provides a level of protection of personal data that is equivalent to the EU’s laws. Given that Chapter Two of the Data Protection Act 2018 contains an almost verbatim version of the GDPR, that’s hardly surprising.

Secretary of State for Digital, Culture, Media and Sport Oliver Dowden said:

I welcome the publication of these draft decisions which rightly reflect the UK’s commitment to high data protection standards and pave the way for their formal approval.

Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework.

I now urge the EU to fulfil their commitment to complete the technical approval process promptly, so businesses and organisations on both sides can seize the clear benefits.

The adequcy decision still has to go through some due process, but it seems safe to say we’ll be awarded one. without an adequacy decision, the transfer of personal data between the EU and the UK would have required one of the following mechanisms to be used to safeguard the data:

1. Standard Data Protection Clauses
2. Binding Corporate Rules
3. Codes of Conduct and Certification Mechanisms
4. Derogations

That all seems fine. Avoiding another layer of legislation and complexity is a win, and effectively transitioning from the EU GDPR to the UK GDPR and ending up with more-or-less “business as usual” is an even bigger win.

But I’ve got a sneaky feeling Max Schrems will not let this go unchallenged. He brought a case to the Irish High Court who referred it to the European Court of Justice (CJEU) that rendered the US’s Privacy Shield agreement invalid. Privacy Shield was the US’s equivalent of an adequacy decision.

The reason for this was the US’s intelligence agency and national security surveillance programmes are not limited to what is strictly necessary—according to the CJEU:

“The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred,” it said.

“The limitations on the protection of personal data arising from the domestic law of the United States… are not circumscribed in a way that satisfies requirements.”

The UK’s Investigatory Powers Act (2016) (IPA) could be seen in exactly the same way. The CJEU does say that they consider the powers of IPA for law enforcement and national security as “necessary and proportionate.”

We’ll have to wait and see what Max Schrems thinks about that.