As expected, the Commission has adopted two adequacy decisions for transferring personal data freely to the United Kingdom – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive.
These adequacy decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information, for example for cooperation on judicial matters.
It is to be noted that for the first time, these adequacy decisions include a ‘sunset clause’, which limits the duration of adequacy to four years, after which, a new assessment will be carried out.
As a result, it is no longer necessary for organisations to implement additional protection measures such as the Standard Contractual Clauses or the Binding Corporate Rules to transfer personal data to the UK.
What does the adoption of an adequacy decision mean in practice ?
The adoption of an adequacy decision for a specific country means that, for the EU Commision, this specific country provides an adequate level of data protection (i.e. the legal framework is essentially equivalent to the one in the EU).
In practice, it means that organisations subject to the GDPR can share personal data with another organisation located in this third country under the same condition as with an organisation subject to the GDPR.
Concretely, it is not necessary for these organisations to implement additional protection measures such as the Standard Contractual Clauses or the Binding Corporate Rules to transfer personal data to the UK. They must only implement the same measures as if they shared data with a local oraganisation. (e.g. if it is a processor, a controller to processor clause compliant with article 28 GDPR would be necessary)
2. Key findings of the European Commission to adopt the adequacy decisions
The Commision found that the UK provided an equivalent level of protection mainly for the following reasons:
- The UK’s data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU.
- Regarding the access to personal data by public authorities in the UK, the UK system provides for strong safeguards such as :
- the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body.
- Any person who believes they have been the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal.
- The UK is subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. These international commitments are an essential elements of the legal framework assessed in the two adequacy decisions.
- Transfers for the purposes of UK immigration control are nonetheless excluded from the scope of the adequacy decision adopted under the GDPR due to a recent judgment of the Court of Appeal of England & Wales on the validity and interpretation of certain restrictions of data protection rights in this area. The Commission told, however, that it will reassess the need for this exclusion once the situation has been remedied under UK law.
3. Effect of the Sunset Clause
- The adequacy decisions include a ‘sunset clause’, which limits the duration thereof to four years. After that period, the adequacy findings might be renewed only if the UK continues to ensure an adequate level of data protection.
- Besides, the Commission will monitor the legal situation in the UK and could intervene at any point before the end of this 4 year period, if the UK deviates from the level of protection currently in place.
- If the Commission decided to renew the adequacy finding, the adoption process would start again.
For a full reading of the adequacy decision, click here
For any question, do not hesitate to contact Arnaud Blanc