A recent decision by the European Commission has granted the United Kingdom the “adequacy” status needed for international data transfers to be considered legal under the terms of the General Data Protection Regulation (GDPR).
The judgment declares the UK’s national data protection laws as being “essentially adequate” to the terms of the GDPR, meaning that carefully-worded standard contractual clauses (SCCs) and convoluted added protection mechanisms to keep personal data out of the hands of the government will not be necessary. Though the UK has formally separated from the EU and is no longer subject to the terms of the GDPR, it retains a national data protection law modeled after it with very similar terms.
EU-UK data transfers given the green light
The data transfer decision accompanies a determination of adequacy of the Law Enforcement Directive, which the UK has also synthesized into its new law. This directive was activated along with the GDPR in 2018 and lays down rules for law enforcement processing of the personal data of investigation subjects. The two decisions together help to facilitate the EU-UK Trade and Cooperation Agreement which includes terms for digital trade, intellectual property and judicial cooperation among other relevant items. Both decisions will remain in force until they “sunset” in four years time.
The decision certifies that the UK has fully incorporated the principles, rights and obligations of the GDPR into its post-Brexit system of data transfer law. It notes the country’s “strong safeguards” for personal privacy, including the right of citizens to bring unlawful surveillance cases before the Investigatory Powers Tribunal and the UK’s continued membership and participation in the European Council of Human Rights. A lack of similar measures has caused friction between the EU and US in the wake of the Schrems II court decision, which established that the level of access that country’s government has to foreign data should terminate its status as an adequate partner.
The arrangement with the UK is unique in that it is the first time an adequacy decision has included a sunset clause. The terms can be renewed in four years so long as the UK maintains an adequate level of data transfer protections; as long as the country maintains parity with the protections offered by the GDPR, it will continue to be treated as if it is still an EU member for the purposes of data transfer.
GDPR equivalency a hard requirement for EU data partners
Data transfer adequacy can be hard to come by for EU trading partners in the wake of the Schrems II decision. That case, a privacy complaint against Facebook that simmered in courts for years before a surprise determination was made last year, essentially rules out any country in which there is no guarantee that the government will not help itself to the data of foreign citizens that comes across its borders. Trading partners in countries such as the US are now forced to carefully construct SCCs that spell out exactly how they are safeguarding EU citizen data from government spying and seizure, frequently with combinations of identity obfuscation and strong encryption.
While the Schrems II decision doesn’t block countries off from digital trade with the EU, it does create more onerous and expensive terms for trading partners that fall on the wrong side of it. The data transfer decision allows UK businesses to skip the process of untangling the European Data Protection Board (EDPB)’s guidance for partners in “untrusted” third countries. However, it may not be a permanent state of affairs given rumblings in the UK government (most notably from Secretary of State for Digital Oliver Dowden) about eventually breaking away from the GDPR model and attempting to build a unique data protection regime while continuing to maintain parity. It is believed that this talk is what prompted the unusual step of including a sunset clause in the arrangement.
The key element for data transfer adequacy is a national-level privacy law with terms that can be interpreted as being equivalent to the GDPR, something that the US more and more conspicuously lacks as the years go on. Alexander Egerton, Partner at Seddons, notes that this ruling solidifies that other countries can expect to become trusted data transfer partners if they tailor their privacy laws to GDPR standards: “This decision shows that the EU acknowledges that the UK has an identical privacy framework to the EU so allowing for these data flows works in the interests of all. If the decision was different then that may deter other “third countries” from seeking “adequacy” (the framework where the EU is more relaxed about data transfers out of the EEA because the recipient country has robust privacy rules). To seek an adequacy ruling involves time negotiating with the EU and making consequential changes to the third country’s privacy rules. This would not happen if the third country thought the process would never lead to an adequacy ruling. Having the power to award adequacy gives the EU a lot of influence as global privacy rules evolve in the light of big tech and new technologies – this would be reduced if adequacy was never granted. If the UK at the expiry of sunset period has diluted the UK GDPR then EU – UK data transfers will follow the fluid EU-US pattern where compromises such as Safe Harbor and the Privacy Shield were annulled by the EU and any EU US transfer carries risk.”
The European Commission is desperate to avoid a “Schrems III” and as such is being stringent about data transfer requirements. The UK transitioned seamlessly from being under the GDPR to its own Data Protection Act as the calendar turned over to 2021; it was in a unique position as the act was adopted in 2018 specifically to ensure compliance with the GDPR as it went into force at that time. But the newly independent country will wrestle with the temptation of loosening up data regulations for economic reasons, something that could force it into a tightrope-walking act as it deals with the EU going forward. As Kate Brimsted, Partner at international law firm Bryan Cave Leighton Paisner, noted: “While this comes as a relief (if not a surprise), the UK will have to box clever when it comes to its post-Brexit liberalisation of laws, and its digital strategy-setting. The UK government’s TIGRR report earlier this month proposed replacing the GDPR with a “more proportionate framework”, something which sounds exactly the kind of move likely to endanger the UK’s adequacy decision, if taken up.”