UK granted data protection adequacy under GDPR

The European Commission has granted the UK data protection adequacy under the General Data Protection Regulation (GDPR), a decision that will allow UK organisations to continue to transfer data to and receive data from EU countries without the need for additional safeguarding measures.

For some time, a cloud of uncertainty has hung over the immediate and long-term future of the UK’s GDPR data compliance position post-Brexit. Since January, the UK has benefitted from a temporary deal that granted it provisional data protection adequacy under GDPR. This meant that the UK – despite being a non-EU or “third country” under GDPR law – has been deemed to meet the required GDPR data protection standards. However, that deal was only a stopgap pending a final decision on the UK’s long-term data adequacy.

Data protection adequacy approved, subject to review

Following a promising but non-binding opinion published by the European Data Protection Board (EDPB) in April this year that the UK’s data protection adequacy should be accepted barring a handful of factors that needed further inspection, the European Commission has today published a paper outlining its decision to approve the UK’s full data protection adequacy position. The adequacy regulations must be reviewed at intervals of not more than four years.

“The adoption of an adequacy decision has to be based on a comprehensive analysis of the third country’s legal order, covering both the rules applicable to the data importers and the limitations and safeguards as regards access to personal data by public authorities,” the European Commission explained. “As clarified by the Court of Justice of the European Union, this does not require finding an identical level of protection. In particular, the means to which the third country in question has recourse for protecting personal data may differ from the ones employed in the European Union, as long as they prove, in practice, effective for ensuring an adequate level of protection.”

The Commission stated that it has carefully analysed the law and practice of the UK and, based on its findings, concluded that the UK ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the UK.

Data protection adequacy not applicable to immigration data

However, the European Commission said its conclusion does not concern personal data transferred for UK immigration control purposes or which otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control. “The validity and interpretation of the immigration exemption under UK law is not settled following a decision of the England and Wales Court of Appeal of 26 May 2021,” it explained. “While recognising that data subject rights can, in principle, be restricted for immigration control purposes as “an important aspect of the public interest,” the Court of Appeal has found that the immigration exemption is, in its current form, incompatible with UK law. In these conditions, transfers of personal data from the Union to the UK to which the immigration exemption can be applied should be excluded from the scope.”

UK’s data protection adequacy vital to EU relationship

Commissioner for Justice Didier Reynders says that the UK’s data protection adequacy is an essential component of its new relationship with the EU. “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”

Jon Baines, senior data protection specialist at Mishcon de Reya, says, “The European Commission has decided that the UK will continue to be seen as a safe country for the purposes of personal data flows from the EU. The news will be greeted with much relief by businesses, which would otherwise have been faced with having to consider costly alternative measures to continue those data flows.” However, he warns against complacency going forward. “The European Commission will continue to monitor the UK’s data-related laws and practice, and if it feels there is notable divergence from the EU model, it has the power to cancel the agreement. There will also certainly be some people watching closely from the side-lines, such as those in the civil society sector, who may bring challenges to the legality of the decision itself, or of data transfers made under the decision.”