Transfers of Personal Data to the UK:  Draft Adequacy Decisions Published by European Commission

PUBLISHED: 12th March 2021

Two draft adequacy decisions in respect of the United Kingdom were published by the European Commission on 19 February 2021. 

While the decisions still need to be formally adopted, this is a major step towards ensuring the continued free flow of personal data between the European Economic Area (EEA) and the UK.

The Commission’s draft adequacy decisions outline its conclusion that the UK does provide an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 (GDPR) and Directive (EU) 2016/680 (Law Enforcement Directive) from the EEA to the UK.  This update comes as a relief to controllers and processors in the EEA and the UK who faced considerable uncertainty at the end of the Brexit transition period.

EU-UK Trade and Cooperation Agreement

The EU-UK Trade and Cooperation Agreement (TCA) came into effect on 1 January 2021.  The TCA allows for a grace period of up to six months during which transfers of personal data from the EEA to the UK can continue without any further safeguards being necessary.

It is intended that adequacy decisions in respect of the UK will be adopted within this timeframe: under the GDPR and under the Law Enforcement Directive.  The publication of the draft decisions by the Commission on 19 February is a significant step towards the formal adoption of the adequacy decisions for the UK.

For more information on data protection under the TCA, see our previous article: Post-Brexit Transition – What now for data transfers to the UK?

Draft Adequacy Decisions

Article 45 of the GDPR and Article 36 of the Law Enforcement Directive provide that transfers of personal data can take place from the EEA to a third country without the need for any additional safeguards, where the Commission decides that the third country in question “ensures an adequate level of protection”.  The Commission has conducted a comprehensive review, in accordance with Articles 45 and 36, and has concluded that the UK provides an adequate level of protection for personal data that is “essentially equivalent” to the protection within the EU.

The Commission’s draft decisions are based on the UK’s domestic law and practice as well as its international commitments.  In particular, the Commission provides that the UK’s continued adherence to the European Convention of Human Rights, Convention 108 and its submission to the jurisdiction of the European Court of Human Rights is “a particularly important element of the assessment on which this Decision is based”.

If formally adopted, the Commission’s adequacy decisions will apply for a period of four years.  However, the UK will continue to be monitored to ensure it maintains an adequate level of protection.  If the level of protection afforded by the UK is no longer considered to be adequate, the adequacy decisions may be suspended, repealed or amended.

What Now?

While the draft adequacy decisions are good news for those hoping to continue transferring personal data from the EEA to the UK after the grace period, this is only the beginning of the process:

1. The European Data Protection Board (EDPB) will now scrutinise the draft decisions and issue a non-binding opinion, which the EU Commission must take into consideration.
2. The EU Commission will then have to obtain formal approval from a committee composed of representatives of the EU Member States.
3. The EU Commission can then formally adopt the adequacy decisions as implementing decisions.

It remains to be seen whether this process will be completed within the timeframe set out in the TCA, but the UK Government has stated that it “now urges the EU to swiftly complete this technical process for adopting and formalising these adequacy decisions as early as possible”.

If you would like to learn more about anything in this note, or how these issues may apply to your organisation, please contact a member of our privacy team.