Understanding UK-EU data flows, what does data adequacy mean?
Under Article 45 of the General Data Protection Regulation (GDPR), the European Commission has the power to determine whether a third-country offers an adequate level of data protection to that in the EU.
The adoption of an adequacy decision is broken down into four main steps. These include:
- a proposal from the European Commission
- an opinion of the European Data Protection Board (EDPB)
- an approval from representatives of EU countries
- the adoption of the decision by the European Commission
The adequacy decisions will be subject to review and the European Commission may be requested by the European Parliament and the Council to maintain, amend or withdraw the adequacy decision at any time.
On 19 February 2021, the European Commission provisionally greenlighted the adoption of two adequacy decisions for transfers of personal data to the UK. This followed a thorough technical assessment by the Commission which found the UK’s data protection regime as providing an equivalent level of protection to the GDPR and the Law Enforcement Directive (LED).
The decisions will now be scrutinised by the EDPB which will give an opinion on the Commission's assessment. After the opinion is given, the decision will progress to comitology before a final decision is taken by the European Council.
If the adequacy decisions are adopted, companies based in the UK that want to continue transferring data from the EU to the UK will not need to put in place an additional legal basis, such as Standard Contractual Clauses (SCCs), to transfer personal data with the EEA.
The European Commission’s draft implementing decision recognises that the structure and main components of the UK legal framework applying to data is very similar to the one applying to the EU. This is not only based on the UK’s domestic law which has been shaped by EU law but also stemming from the UK’s obligations enshrined in international law such as the European Convention on Human Rights and Convention 108.
The data adequacy standard does not require finding an identical level of protection or a point-to-point replication of EU law, in this case the GDPR. The litmus test lies in the ability of third countries to demonstrate a similar level of data protection to the EU through their own system, not just through their effective implementation, but also supervision and enforcement through Data Protection Authorities (DPAs) - which the European Commission has concluded that the UK’s data protection system does so.
Crucially, however, the draft decision notes that, unlike other partners, UK begins from a position of convergence, but has expressed a desire to make changes to its data protection regime. As a result, the UK’s adequacy decision is not focused on ensuring that the UK implements a series of actions to bring its data protection laws more in line with the EU’s over a period of time.
Rather, the Commission’s decision is designed to manage the UK’s divergence from European data protection law, pathways within the conclusions that could trigger a review and potential termination of the agreement.
- The European Commission will monitor, on an ongoing basis, any relevant policy changes to data protection rules in the UK that may reduce the level of data protection offered.
- The European Commission may repeal, partially or completely suspend, or amend the adequacy decision based on:
- the process of resolving a complaint from a Member State DPAs who will report to the European Commission any concerns they have or where they find the UK is not offering an equivalent level of protection.
- Any material changes to the UK’s international commitments, specifically its membership of and subjection to the European Convention of Human Rights and its Court (even though this commitment is enshrined in the EU-UK Trade and Cooperation Agreement).
- The adequacy decision will be reviewed after four years after the date it enters into force and the European Commission will initiate the procedure to amend or extend this decision at least six months before this date. This ‘break’ could be the point where the Commission seeks to lay down more conditions and restrictions for the UK under this framework, to avoid more divergence.
Overall, the European Commission’s decision for the UK is very positive and warmly welcomed by both the EU and UK tech sectors which have been making clear the importance of a mutual data adequacy agreement since the Brexit referendum.
Alessandra is techUK’s Policy Manager for Data. She leads techUK’s working groups on Data Protection and Open Data and supports members on key issues such as the UK’s National Data Strategy.
Prior to working for techUK, Alessandra was a Consultant for a Public Policy firm based in London where she helped international technology companies navigate the risks and opportunities of digital policy. Alessandra has experience working for the European Asylum Support Office, the Malta High Commission in London during Malta’s first rotating presidency of the Council of the EU, and the European Parliament Information Office in Valletta. She holds an MSc in Public Policy and a B.A in European Studies.
As Head of Policy Neil leads techUK's domestic policy development. He regularly engages with UK and Devolved Government Ministers, senior civil servants and Members of the UK’s Parliaments with the aim of supporting government and industry to work together to make the UK the best place to start, scale and develop technology companies.
Neil joined techUK in 2019 to lead on techUK’s engagement in the UK-EU Brexit trade deal negotiations, as well as leading on economic policy.
He has a background in the UK Parliament and in social research. Neil holds a masters degree in Comparative Public Policy from the University of Edinburgh and an undergraduate degree in International Politics from City, University of London.