Data protection update: latest developments on EU and UK transfers

Background

On 28 June 2021, the European Commission issued two EU adequacy decisions finally bringing to an end the uncertainty over whether transfers of personal data from the EU to the UK could continue without an additional requirement for reliance on appropriate safeguards or derogations. Nevertheless, uncertainty still remains for international transfers involving the UK given that such adequacy decisions could in future be challenged and in relation to what standard contractual clauses may be used in future for transfers from the UK.

Adequacy decisions

On 28 June 2021, the European Commission adopted two adequacy decisions for transfers of personal data to the UK in respect of the GDPR and Law Enforcement Directive.

This followed an in-depth consideration of the UK’s domestic law and international commitments (including in respect of the European Convention on Human Rights), and the mechanisms for oversight and redress in place.

Process

While both decisions allow for continued flows of personal data to the UK (provided compliance with other EU data protection law requirements is observed), the process to conclude them has been complex. The adoption of the decisions follows a complex process involving the Commission, EU data protection authorities sitting in the European Data Protection Board (“EDPB”), the European Parliament and the Member States.

Following publication of the Commission’s draft adequacy decisions on 19 February 2021, on 13 April 2021 the EDPB adopted non-binding opinions. While noting the UK’s close alignment with the EU data protection framework by virtue of its former status as a Member State, the EDPB raised a number of concerns, such as the risks regarding developing divergence between EU and UK data protection law, and recommended that the Commission should consider amending the adequacy decisions to: (i) introduce specific safeguards for EU personal data transferred to the UK; and/or (ii) enable suspension of the adequacy decisions in certain cases. This was followed on 21 May 2021 by a European Parliament resolution also calling for similar changes in approach.

These developments led to some delays in the procedure to adopt the adequacy decisions while amendments to the Commission’s initial proposals were quickly negotiated, after which the Member States voted unanimously in favour of the proposals. The Commission was then able to conclude the comitology procedure and adopt the adequacy decisions just before the end of the grace period or ‘bridge’ provided by the EU-UK Trade and Cooperation Agreement for continued transfers from the EU to the UK, which expired at the end of June.

Limitations

Further to the process of adoption, the adequacy decisions are subject to some important limitations, including that:

• They will last for a time-limited period of four years (unless the Commission and Member States choose to extend them);
• In the case of the GDPR decision, the Commission is required to ‘closely monitor’ UK data protection developments – including in respect of international transfers and UK rules relating to government access to data – to determine if the UK maintains an essentially equivalent level of data protection, with similar monitoring requirements also applying in the case of the Law Enforcement Directive decision; and
• If the Commission concludes that the UK’s level of data protection may no longer be adequate then the Commission may request that appropriate measures be taken within a specified timeframe and, in certain circumstances, may suspend or repeal the adequacy decisions.

Ongoing uncertainties

There are however some ongoing risks in respect of transfers.

Firstly, as UK and EU data protection law start to develop separately, there is a possibility that the monitoring undertaken by the Commission may identify areas where in its view the UK level of data protection is no longer essentially equivalent. In such a scenario, any deficiencies would need to be addressed quickly to avoid the risk of suspension or the repeal of the adequacy decisions.

In addition, following previous rulings by the Court of Justice of the European Union, including in the recent “Schrems II” case, there is the ongoing possibility of a challenge to the validity of the decisions.

Businesses may therefore wish to consider whether it is appropriate to include ‘back-up’ alternatives in agreements in future to address the risk of the adequacy decision being struck down, such as incorporating the new EU standard contractual clauses, noting that additional due diligence of data importers would also be required together with the possible need for supplementary measures.

Further expected developments for international transfers

There are also uncertainties as to what requirements will apply for international transfers from the UK to third countries which do not benefit from a UK adequacy finding over the coming months. While the UK has currently retained the previous EU standard contractual clauses for use for transfers from the UK on a transitional basis, the new EU standard contractual clauses will not be automatically reflected in UK law. The ICO is due to begin a consultation on new UK standard contractual clauses shortly.