On Feb. 19, 2021, the European Commission, making use of the powers conferred to it by Article 45(3) of the EU General Data Protection Regulation, released two draft decisions on the adequate protection of personal data by the U.K.: one under the General Data Protection Regulation, the other under the Law Enforcement Directive. If approved, the decisions would grant adequacy status to the U.K. under the GDPR and LED, thereby ensuring EU personal data can continue to flow freely to the U.K., now a third country in the eyes of the EU. In this article, we focus on the draft decision under the GDPR.
In accordance with Article 70 of the GDPR, the commission will request the European Data Protection Board to provide an opinion on the draft decision. The opinion is non-binding but nevertheless influential. Based on recent experiences with the adequacy decision for Japan, the EDPB is an active participant in these types of proceedings. The opinion should provide interesting reading, especially since we know from developments relating to the revised standard contract clauses and the EDPB recommendation on measures that supplement transfer tools, that the commission and EDPB are not always on the same wavelength on the issue of international transfers.
After taking into account the EDPB's opinion, the commission will submit the draft to the member states under the so-called comitology procedure. Assuming the member states give the green light, the commission can formally adopt the adequacy decision. The European Parliament does not have to formally approve the draft decision, but as an important part of the “checks and balances” of the EU political system, the Parliament or some of its committees can — and most likely will — take a stand on the draft decision. In the past, several members of the Parliament have expressed severe reservations about a potential U.K. adequacy.
Timing
The adequacy determination procedure for the U.K. needs to be completed before the expiration of the interim period set by the U.K.-EU Trade and Cooperation Agreement of December 2020. This period currently expires April 30, 2021, but if need be, can be extended to June 30, 2021.
Content
The draft decision is unique and precedent-setting. So far, it is the first and only adequacy decision after the "Schrems II" ruling of the Court of Justice of the European Union, which annulled the Privacy Shield and led the EDPB to prepare its recommendation on measures to supplement transfer tools. It is also the first time the commission had to examine the privacy laws of a country, which until a few months ago had the GDPR as its main privacy law, exactly the same statute that serves as the reference to determine whether the laws of the candidate third country offer "equivalent protection."
The commission is keenly aware that "the danger" for the EU data does not lie in the current U.K. privacy laws but in what those laws may look like in the future. This explains why the commission, in a rare move, limits the duration of the adequacy decision to four years. It can be renewed, in principle for another four years, if the U.K. continues to offer an equivalent level of protection. The renewal is not automatic but will be subject to the proper proof of equivalence. Past adequacy decisions, such as the one for Japan, are not limited in time. They have monitoring and periodic review provisions, as prescribed by the GDPR, but they do not have a hard stop. This one, however, does; the U.K. adequacy stops after four years unless it is renewed in due time.
In the accompanying news release, the commission justifies the limited duration of the U.K. decision by pointing out it wants to ensure it is "future proof" now that the U.K. is no longer bound by the EU privacy rules and can set its own course.
This desire to play safe also explains why throughout the draft decision, the commission emphasizes the decision is based not only on the domestic U.K. privacy laws, but also on obligations enshrined in international law, in particular, the European Convention on Human Rights and Convention 108, as well on as the U.K.’s submission to the jurisdiction of the European Court of Human Rights.
While U.K. domestic privacy laws may change over time, these international instruments ensure the U.K. remains part of the European privacy family. As indicated in Recital 270, adherence to these international instruments was an important part of the draft decision. It will continue to be so in the future, including possible extensions of the current decision beyond the initial four-year period.
A closer look
The draft decision is long and very detailed. It sets out the current data protection framework in the U.K. and describes the rights, obligations and safeguards, as well as the oversight and enforcement structure in the U.K. The similarity with the GDPR is striking although obviously not surprising.
Recitals 75 through 82 describe the U.K. provisions on onward transfers. The commission is aware concerns have been expressed that the U.K. might become a backdoor for EU personal data to go to the U.S. It is, therefore, somewhat surprising the draft decision does not mention the "Schrems II" ruling, the ongoing revision of the SCCs and the draft EDPB recommendation on supplemental measures.
"Schrems II," in any case, was part of the body of U.K. law that the commission looked at when deciding on the adequacy finding. Things are less clear for SCCs and the EDPB recommendation, which are still in draft form. We would expect the EDPB in its opinion to request clarification on this.
A large part of the draft decision is devoted to issues of government access in the U.K., for criminal law enforcement and national security purposes. In Recitals 112 through 265, the commission sets out in painstaking detail the legal bases, limitations and safeguards of the various instruments that law enforcement agencies and intelligence services have at their disposal, the oversight structure in place, as well as the redress mechanism available to data subjects.
On this issue, the commission comes to the conclusion that "any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to the United Kingdom by United Kingdom public authorities for public interest purposes, in particular law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists (Recital 268).” The commission emphasizes once again that its conclusion is based not only on a review of the current domestic laws in the U.K. but also on the U.K.’s adherence to the European Convention of Human Rights and its submission to the jurisdiction of the European Court of Human Rights.
The detailed description of U.K. laws allowing government access, the findings of the commission on these laws, the ongoing public debate and — who knows — possible legal challenges to the decision, will provide useful guidance for future adequacy decision candidates. They will be particularly important for the ongoing discussion between the EU and the U.S. on a “Privacy Shield 2.0” agreement.
What should companies do?
Pending the outcome of the discussions on U.K. adequacy, many companies have taken a wait-and-see approach toward their EU-U.K. data transfers, having done nothing specific to address those. Those companies need to monitor the further legislative development of the adequacy proceedings.
No further action is required if the adequacy decision is approved before June 30, 2021. Companies, of course, need to address other issues relating to Brexit, such as the appointment of a representative or the selection of a new main establishment in the EU. Those action items are not affected by the adequacy decision.
Companies that had lost all hope for an adequacy decision and already put in place SCCs for their EU-U.K. transfers can let those expire or terminate them by mutual agreement. All of this, of course, assumes that the draft U.K. adequacy decision will be approved.
Photo by James Newcombe on Unsplash