European Data Protection Board cautiously welcomes UK Adequacy Decisions

The European Data Protection Board (the EDPB) adopted two opinions last month on the draft adequacy decisions on personal data transfers to the UK published by the European Commission in February. 

These opinions and the draft adequacy decisions concern the continued free flow of data under the General Data Protection Regulation (the GDPR) and the Law Enforcement Directive between member states of the European Economic Area (the EEA) and the United Kingdom (UK), now that the UK is no longer a member state of the European Union. 

The GDPR places additional obligations on personal data transfers to countries outside the EEA which are designated ‘third countries’ under the GDPR. Transfers to third countries require additional safeguards to be implemented, such as ‘Standard Contractual Clauses’ (model clauses approved by the European Commission), but this requirement will not apply to the UK if the adequacy decisions are adopted. 

Personal data transfers to the UK have, since 1 January 2021, relied upon a bridging measure in the UK-EU Trade and Cooperation Agreement for the adequacy decisions to be implemented, which expires at the end of June this year (see our earlier report on this 'bridge').  

The EDPB is comprised of the data protection supervisory authorities across all member states of the EEA. Its opinions are non-binding but highly influential.

“Strong alignment” between UK and EU data protection regimes

The EDPB concluded, due to the fact that its data protection framework in the UK is largely based on the data protection framework of the European Union, e.g. the GDPR and the Law Enforcement Directive, the UK is in a unique position compared to other third countries. Core concepts and provisions are common to the legal framework in each regime and so the EDPB concluded that, in many aspects, the level of protection of personal data in the UK to be “essentially equivalent” to that found under European law. 

Areas of concern and further consideration by the European Commission

The EDPB caveated its conclusions by identifying a number of challenges now and in the future to grounding the adoption by the European Commission of the adequacy decisions: 

• Onward transfers: The EDPB emphasised concern on the risk of unrestricted transfers of personal data originating in the European Union onward from the UK to other third countries on the basis of, for example, future adequacy decisions adopted by the UK or international agreements concluded between the UK and third countries. In particular, the EDPB recommended the Commission scrutinise the UK-US CLOUD Act Agreement, which regulates access to electronic data between the UK and United States for the purpose of countering serious crime, in order to ensure appropriate safeguards are maintained.

• Immigration exemption: The EDPB also expressed concern regarding the so-called “immigration exemption” under the UK Data Protection Act which relieves controllers involved in immigration-related activities of certain obligations under the GDPR as it is “broadly formulated” in permitting controllers to share personal data for the purposes of immigration control.

• Access by public authorities: The EDPB’s conclusions on access by UK public authorities to personal data transferred to the UK for national security purposes was a mixed bag. On the one hand, the EDPB welcomed the fact that the UK has established the Investigatory Powers Tribunal and Judicial Commissioners, which provide mechanisms for redress and oversight as required by European law, but called on the European Commission to examine and monitor conditions relating to the following in the UK:
  
  • Bulk interceptions of communications,
    
  • Independent assessment and oversight of the use of automated processing tools, and
    
  • Safeguards provided under UK law when it comes to overseas disclosure, in particular in light of the application of national security exemptions.

What next for the Adequacy Decisions?

The European Commission will consider the EDPB’s opinions and seek the formal approval of representatives of the 27 European Union member states. If such approval is obtained, it is then for the European Commission to make the final decision on whether to adopt the adequacy decisions. 

In order for personal data flows to the UK to enjoy a smooth transition from the bridging mechanism to an adequacy decision, this will require the above steps to be completed before the 30 June 2021 deadline, which could prove challenging.

If adopted, the adequacy decisions will be valid for four years and may be subject to interim periodic reviews and monitoring by the European Commission should the data protection regime in the UK begin to diverge. 

Next steps for your business

In order to ensure no interruption to personal data flows with the UK should the adequacy decision not be adopted in time or at all (or if the adequacy is granted but later revoked), businesses can look to implement other appropriate safeguards as recognised transfer mechanisms. 

The Standard Contractual Clauses noted above are one such appropriate safeguard but are not sufficient in themselves and must be accompanied by risk assessments and supplementary measures, where appropriate.  Our team can provide further advice on international data transfers and the usage of Standard Contractual Clauses and other appropriate safeguards to transfer personal data lawfully to third countries. 

For further information, please contact Seán O’Donnell, Zelda Deasy, Kelly Mackey or any member of the ByrneWallace LLP Data Protection/GDPR Team.