Contractors, now the UK has an adequacy decision, the free flow of personal data can reign supreme

After months of deliberations on the post-Brexit data protection regime which would be in place between the United Kingdom and the European Union, our neighbours have come to a conclusion on an important decision.

The European Commission has formally granted an Adequacy Decision to the United Kingdom on June 28th 2021, with implications for UK contractors and their end-client organisations, writes Komal Shemar, legal counsel at Gerrish Legal.

The granting of this decision means that personal data from the European Economic Area (which comprises the 27 Member States of the EU, plus Iceland, Liechtenstein and Norway) can be sent to the United Kingdom without the need for additional safeguards.

Refresher: define Adequacy Decision

Personal data, which is “all data that identifies or can be used to identify a natural person,” is protected in the European Union (EU) by the General Data Protection Regulation (or the infamous ‘GDPR’ as it is commonly known). The GDPR is widely acknowledged as the gold standard for data protection laws in the world – and is seen as a reference point even for other countries.

Before Brexit, the UK was subject to EU laws and therefore also subject to the GDPR. As such, the UK, along with all other member states, was automatically deemed to provide the same level of protection to personal data as required in the EU - since all of these countries were bound to the same law.

Under the GDPR, any country that is not a part of this bloc is automatically deemed a ‘third country’ and deemed to not provide the same or similar level of protection to personal data as is accorded under the GDPR. These third countries have to therefore rely on one of the safeguards under Chapter 5 of the GDPR.

One of these safeguards is known as an ‘adequacy decision,’ which is a formal decision adopted by the European Commission, after approval by the member states and relevant bodies, which confirms that the data protection regime of a third country is adequate – i.e., it provides the same or a similar level of protection to personal data as the GDPR. With an adequacy decision, EEA personal data can be sent to this third country without the data importer and exporter relying on any other safeguard.

What is the data situation now with the UK and EU?

Following the UK’s withdrawal from the EU, the UK is also now considered a third country. In our previous article for Contractor UK, we discussed what this meant and the safeguards that were available to UK-based contractors and businesses to ensure that their personal data transfers were compliant.

As we detailed previously, the UK was granted a grace period for six months following Brexit (i.e., until June 2021) whereby UK-based data controllers and processors were allowed to receive personal data from the EEA without having to rely on a safeguard under Chapter 5 of the GDPR.

After this, UK-based contractors and businesses would either have to rely on an adequacy decision if this was granted, or they would have to enter into model clauses that have been drafted by the European Commission for personal data transfers to third countries (known as Standard Contractual Clauses).

Now that we have reached the end of this grace period, and the European Commission has officially granted an adequacy decision, this means that the UK is deemed to provide a similar level of protection to personal data as the GDPR.

The commission has actually granted two decisions – one in relation to adequacy to the GDPR, and one for the EU Law Enforcement Directive. However, it is the former decision that we are discussing in this article.

On the one hand, it is no major surprise. Since the UK’s data protection law, the Data Protection Act 2018, is a mirror image of the GDPR. However, on the other hand, things did seem a little touch-and-go since the UK has some controversial laws which potentially conflict with the GDPR. For example, the UK’s position on intelligence surveillance laws and sharing of personal data with the Five Eyes alliance for national security purposes did seem like a potential roadblock to an adequacy finding. Furthermore, such assessments usually take several years – with the average period being five years. Aside from the UK’s decision, the fastest successful assessment was for Argentina – which took just 18 months.

Nonetheless, the UK has joined an elite group of 13 countries to be formally granted an adequacy decision - Andorra, Argentina, Canada (limited to commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

What does the UK receiving an adequacy decision mean for my business?

If you are a contractor or have a business that receives personal data from the EEA, you can now rely on the European Commission’s adequacy decision to receive such personal data.

In practice, this will mean updating your privacy notices or any other such similar documentation. Or if you previously entered into or were planning on entering into the Standard Contractual Clauses, as a precaution, this can now be left alone.

Just a quick reminder, though.  Personal data sent from the UK to the EEA was already covered by the adequacy regulation granted by the UK to the EU under the Brexit agreement.

However, the saga is not over, and you still need to stay on the ball with regards to your data protection obligations!

How long does the June 2021 Adequacy Decision last?

Partly you need to stay switched on to your data obligations because the European Commission’s adequacy decision for the UK is only valid for four years – until June 27th 2025, after which it shall be reviewed for a potential renewal. If the UK’s data protection regime changes in such a manner that it no longer provides an ‘adequate’ level of protection to personal data, the UK’s adequacy decision could potentially not be renewed.

However, there is also a real risk that the adequacy decision could be revoked even earlier than four years. Ongoing review of such adequacy decisions and corresponding privacy regimes are not only conducted by official authorities such as the European Commission, the European Data Protection Board and supervisory authorities, but also by privacy activists.

A cautionary example from across the pond

A pertinent example of this is the now-retired EU-US Privacy Shield, which was the safeguard mechanism for personal data transfers from the EEA to the US. If a US company was certified under the Privacy Shield, it meant that they were allowed to receive EEA personal data without having to rely on another mechanism under Chapter 5 of the GDPR – akin to a ‘mini’ adequacy decision.

This Privacy Shield regime was reviewed annually by relevant authorities and regularly came under scrutiny due to the US’s rather invasive national security laws and subpar privacy laws (at least when compared to the GDPR). This included the wide data capture powers allowed under US legislation such as Section 702 of the Foreign Intelligence Surveillance Act (known as FISA) and Executive Order 12333 which contradicted Europe’s fundamental right to privacy.

Ultimately, the Privacy Shield was invalidated in July 2020 in a preliminary hearing by the Court of Justice of the EU for the Schrems II case, where privacy activist Maximillian Schrems was pursuing Facebook in Ireland over their personal data transfers to the US. This came as a shock to businesses and privacy specialists alike -- and serves as a cautionary tale for those of us based in the UK too.

Whare are the contingency plans stemming from the European Commission’s decision?

The UK will have to ensure that its privacy regime continues to accord the same level of protection to personal data as is required to maintain the adequacy decision. Otherwise, the UK will end up in the same tricky position as the US, which is slowing down deals and creating complex contractual paperwork, among other adverse issues.

If the adequacy decision is revoked or not renewed in the UK, UK-based contractors and businesses will have to consider relying on another mechanism under the GDPR, such as entering into the Standard Contractual Clauses, which have now been updated by the European Commission, and come with heavier obligations of assessments to be conducted by the importing and exporting parties.

Next steps

Contractors should ensure that all their privacy documentation is up-to-date, and should ensure that they have some way to keep up-to-date with their privacy obligations.

While the adequacy decision is valid for a period of four years, it is not outside the realm of possibility that it could be challenged before this period expires – especially since it has not been a welcome change for everyone, particularly those concerned about the UK’s national security laws! If you have any questions about data protection, please do not hesitate to contact us.