EU Commission’s latest position on the EU-UK personal data flows
EU Commission releases two draft adequacy decisions
On the 19th of February 2021 the European Commission released two draft adequacy decisions: (i) one under the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) and (ii) the other under the EU Law Enforcement Directive (EU) 2016/680 (“LED”).
These drafts were adopted in the context of the ongoing discussions between the EU and UK on the flow of personal data between them. After the UK withdrew from the EU on 31 January 2020, and the transitional period ended on 31 December 2020, transfers of personal data to the United Kingdom are governed by the EU-UK Trade and Cooperation Agreement (“TCA”), applicable as of 1 January 2021.
The TCA provides for an interim regime (so-called ‘bridging clause’, enshrined in Article FINPROV.10A of the TCA) that ensures the full continuity of personal data flows between the EEA and the UK, with no need for companies and public authorities to put in place any transfer tool under the GDPR or the LED. This solution is applicable for a period of a maximum of six months (i.e. the end of June 2021), and it is conditional on the commitment by the UK not to change the data protection regime currently in place.
Legal basis for the adequacy decisions
Article 45(3) of the GDPR and Article 36(3) of the LED grant the EU Commission the power to decide, by means of an implementing act, that a non-EU (third) country ensures “an adequate level of protection”, i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU, which means that the country is “adequate”.
If a non-EU country has been found “adequate”, transfers of personal data from the EU to the respective non-EU country can take place without being subject to any further conditions.
Over the past months, the EU Commission has carefully assessed the UK’s law and practice on personal data protection, including the rules on access to data by public authorities, as described in detail in the draft adequacy decisions released by the EU Commission. Based on its assessments of the UK laws, the EU Commission concluded, subject to its final approval, that the UK ensures an essentially equivalent level of protection to the one guaranteed under the GDPR and, for the first time, under the LED.
Importance of these draft adequacy decisions
Assessing that the UK ensures an adequate level of protection of personal data is very important for a continued business relationship between the UK and the EU post Brexit, as it will, once confirmed, assist companies on both sides of the Channel to focus their data privacy resources on real data privacy issues, instead of investing resources and time in implementing contractual arrangements to address the adequacy gap. That is why the EU Commission’s release of the draft adequacy decisions is a critical milestone in the EU-UK ongoing discussions relating to the transfer of personal data between them.
The drafts published by the EU Commission are also a great source of information on the data protection law in the UK. They are a testimony of efforts that went into the EU assessment processes, and will hopefully receive the required EU approvals before the expiry of the above-mentioned six months interim arrangement.
Before the EU can formally grant the adequacy status to the UK laws, it needs to consult the European Data Protection Board (“EDPB”) and a committee composed of the representatives of EU Member States’ governments in the so-called comitology procedure. The EU comitology procedure applies, in principle, when the EU Commission has been granted implementing powers in the text of EU law, as is the case here, and depending on the procedure used (i.e. examination procedure or advisory procedure), committee opinions can be more or less binding on the EU Commission.
This EU procedure is currently expected to be completed before the end of June 2021, when the above-mentioned interim six-months arrangement for personal data flows under the EU-UK Trade and Cooperation Agreement officially ends.
If the draft adequacy decisions are formally adopted by the EU Commission, the adequacy of the UK and its laws will be valid for a period of four years, and it will mean that during that period personal data can be freely transferred between the UK and the EU without the need for any further authorisations. After four years, there is the possibility to renew the adequacy finding if, at the time, the level of protection of personal data in the UK is still assessed by the EU as adequate.
If you have any questions in regard to this topic, please do not hesitate to contact us.