EU has drafted its adequacy decision on the UK…and it seems we’re adequate.
As predicted in an article I wrote earlier this year, the EU are on the cusp of finding the UK’s data protection regime adequate. The draft decision has been published and so you don’t have to read the whole 87 page document I took one for the team and have summarised the bits I thought might be of interest, the salient points and their potential impacts. As always this is legal information and does not constitute advice. If you do want something more tailored to your organisation, then get in contact here. Ok, so what’s in the draft adequacy decision…
Adequacy, what’s that?
As we all know by now GDPR governs how data can flow freely throughout the Union of 27 Member States. That’s great if you only want to transfer data within the Union. But, what if you wanted to transfer data outside the Union to what is known as a Third Country? How can Data Subjects have comfort their personal data will be protected to the same levels as they would expect if the data remained in the EU? The short answer is GDPR mandates data subjects must have an equivalent level of protection when their personal data is transferred outside the EU and it achieves this in a number of ways. For the purposes of this discussion, we will concentrate on one tool the European Commission can use to simplify data transfers to a Third Country – Adequacy.
Essentially, the adequacy process assesses a Third Country’s data protection regime and makes a decision on whether the regime provides an adequate (not necessarily equivalent) level of protection. If the regime in the Third Country is deemed adequate then data can travel “freely” to that Third Country without any other safeguards above and beyond what the Third Country would expect for the data transfers relating to its own citizens. That’s not the end of the story though. An adequacy decision may not cover every possible type of data transfer. For example, Canada’s adequacy decision only covers commercial organisations and adequacy decisions do not cover data exchanges in the law enforcement sector. Adequacy decisions can also be challenged and invalidated in the courts. It’s therefore important to review the limitations of an adequacy decision before deciding whether you can rely upon it as a lawful basis for your particular international data transfers.
So why is adequacy important to the UK?
Unless you have been living under a rock, on a desert island, in the middle of the Pacific for the last few years, you will no doubt be aware in June 2016 the UK voted to leave the EU and completed its departure in January 2020. What followed was a period of transition that ended on 31st December 2020, where the EU and the UK entered into a limited trade deal. Part of that trade deal covered data protection. You can read about what it said in a little bit more detail here. Prior to the deal nothing much changed. Within the deal, the UK and EU negotiated an equivalence for the UK’s data protection regime until an adequacy decision could be made, or the clocked ticked past midnight on 30th June. Without an adequacy decision, UK-based entities would instead need to rely on other safeguards (detailed in article 46 of GDPR) to continue processing the personal data of EU citizens. Such a scenario would be expensive for UK businesses. To quote Lord Falconer, GDPR could have ended up being “a gift that keeps on giving” as law firms would be kept busy renegotiating and amending hundreds of thousands of contracts to incorporate standard contractual terms et al. In short an adequacy decision would save UK businesses a significant amount of money! What is positive for UK businesses is the EU is set to ratify a decision that states our data protection regime is “adequate”.
So what does the draft decision say?
The draft – and it is currently only a draft – states the EU considers the UK’s data protection regime as adequate. The draft adequacy decision suggests the decision will be valid for 4 years from the date it is formally ratified. The adequacy decision does not, as previously mentioned, cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680). The key paragraphs most UK businesses are likely to find useful are as follows:
Paragraph (266) of the draft states: “The Commission considers that the UK GDPR and the DPA 2018 ensure a level of protection for personal data transferred from the European Union that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.”
Paragraph (282) states: “It is therefore appropriate to provide that this Decision will apply for a period of four years as of its entry into force.”
From what I can ascertain, with the exception of law enforcement, all other data transfers, both private and public sector, are covered.
What about mass surveillance? Surely that was a barrier to adequacy?
Mass surveillance or the bulk collection of citizen’s data for surveillance purposes is covered in significant detail within the draft decision. Some may remember, as a result of the information provided by Edward Snowden, it was widely publicised that UK intelligence agencies were engaged in a programme of mass surveillance on UK citizens. This programme was ultimately ruled unlawful by the European Court of Human Rights. Whilst a ruling was deemed a success for privacy advocates there were (and still are) significant concerns in relation to the replacement to RIPA 2000, the Investigatory Powers Act (IPA) 2016. The European Commission has explored IPA 2016 and the supporting legislative infrastructure and it appears to have determined, in totality, there are adequate levels of protection and safeguards to prevent the State having unfettered access to UK citizens data for the purpose of snooping! But this could still be challenged in the courts…
Ok, Schrems. Got to be something in there about Schrems…?
I’m not going to rehash Schrems here. There are plenty of articles you can read – like this one. Suffice to say, the impact of the Schrems cases have formed part of the adequacy decision.
Para (273) states: “It should be recalled that, pursuant to Article 58(5) of Regulation (EU) 2016/679 and as explained by the Court of Justice in the Schrems judgment, where a national data protection authority questions, including upon a complaint, the compatibility of a Commission adequacy decision with the fundamental rights of the individual to privacy and data protection, national law must provide it with a legal remedy to put those objections before a national court which may be required to make a reference for a preliminary ruling to the Court of Justice”
So, here’s the potential sting in the tail. If someone successfully challenges the adequacy decision in the courts – and the UK must provide a means for a person or organisation to make such a challenge – then the UK adequacy decision could be ruled invalid. This would mean any transfers of personal data between the EU and UK would no longer be able to rely on the [invalidated] adequacy decision as a basis for international data transfer. In such a scenario, similar to when the US Privacy Shield was ruled invalid, affected parties would then need to ensure appropriate safeguards are instead put in place to ensure data exchanges remain lawful. Whether someone mounts a successful challenge remains to be seen, but it is a real risk nonetheless.
So what does this all mean for me and my business?
For the time being, organisations can breathe a sigh of relief that their transfers to the EU and vice versa will likely be covered by an adequacy decision that will be reviewed in around 4 years – as no long as no one successfully challenges it of course. Once ratified, what business will need to do, at the very least, is update their Privacy Notices to reflect that transfers to or from the EU and UK are lawful on the basis of adequacy.
Whilst this was a very quick run through there may be other things people think are worthy of note…please feel free to add them in the comments below…and as always Fox Red Risk are ready and waiting to help if you need specific advice.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning