GDPR: European Commission adopts adequacy decision permitting data transfers to UK, but challenges likely

The EU Commission on Monday deemed the United Kingdom’s data protection safeguards adequate for the purposes of the GDPR, allowing for the continued free flow of data between the European Union and the United Kingdom. The Commission’s decision will put no restrictions on data transfers between the UK and EU for a minimum of four years but it is likely to be subject to challenge in the courts.

Under the European Union’s General Data Protection Regulation (GDPR), transfers of personal data to countries outside the European Economic Area (in EU parlance third countries) must comply with strict conditions to ensure proper protections over personal data are maintained. Despite the UK having fully incorporated the GDPR into UK law before withdrawing from the EU, upon formally leaving the block last December the UK was not automatically deemed to comply with the GDPR. Accordingly, the EU-UK Trade and Co-operation Agreement applied an implementation period of six months during which transmission of personal data from the EU to the UK was not to be considered as a transfer to a third country. During this period, the Commission was required to examine the possibility of an adequacy decision being adopted in respect of the UK’s data protection laws permitting the free flow of personal data between the UK and EU after the implementation period.

Monday, days before the deadline of 30 June, the Commission published its implementation decision deeming the UK adequate for the purposes of onward transfers under the GDPR. The Commission’s decision followed on from its draft adequacy finding published in February and a largely positive opinion from the European Data Protection Board in April. However, there was some resistance to the Commission’s plans to deem the UK adequate, particularly by the European Parliament, which adopted a resolution on 1 June, noting what it considered a “high level of indiscriminate surveillance” by the UK authorities. In its implementing decision, the Commission did note the European Parliament’s concerns but found that the UK had sufficiently strong safeguards to protect EU citizens’ data protection rights.

The decision by the Commission will be a significant relief to businesses operating both in the EU and UK, and has been welcomed by the Information Commissioner’s Office. It will, however, only likely be a matter of time before the Commission’s finding of adequacy will be challenged by an EU citizen, which may result in a supervisory authority suspending transfers of personal data to the UK, or even a reference to the Court of Justice in Luxembourg. In such circumstances, the Commission’s deeming of the UK as adequate may well be struck down, meaning that businesses will be required to implement strict contractual clauses when intending to make data transfers between the UK and EU.

Background: Data flows outside the EU subject to strict requirements by GDPR

One of the stated aims of the GDPR is to ensure the free flow of personal data, not only within the European Union but also to third countries, whilst also ensuring a high level of protection for that personal data. A formal procedure is set out in the GDPR requiring data controllers or processors to assess the permissibility of transfers to third countries. These mandate that the conditions applicable for ensuring transfers to the third country must not undermine the level of protection of individuals guaranteed by the GDPR. Transfers of personal data from the EU are only permitted in the following circumstances:

• The data controller or processor has applied appropriate safeguards to ensure adequate protection of personal data, and enforceable data subject rights and effective legal remedies are available to the data subjects; or
• Where an adequacy decision concerning the third country has been made by the European Commission.

Dealing with these in order, the GDPR permits data controllers or processors to use contractual clauses which ensure appropriate data protection safeguards to govern data transfers from the EU to third countries. This includes standard contractual clauses (SCCs) which have been preapproved by the Commission.

A more straightforward route for data transfers is where the European Commission has adopted an adequacy decision in respect of that third country. Where this is made, a data controller is free to transfer data to the third country.

When reaching an adequacy decision, three factors must be considered by the Commission:

1. The existence of enforceable data subject rights in the third country’s laws, respect for the rule of law, human rights, and the existence of regulations permitting access to data by public authorities in that country. Furthermore, the third country must have effective administrative and judicial remedies to allow data subjects to enforce their rights.
2. An independent supervisory data protection authority.
3. Consideration of the international treaties that the third country has acceded to which mandate the protection of personal data.

Prior to its UK adequacy decision, the Commission had recognised twelve countries or regions as adequate. These included the UK Crown Dependencies of Jersey, Guernsey and the Isle of Man. In this context, the decision by the Commission to deem the UK adequate was unsurprising. However, it is of note that the UK Overseas Territory (and former EU member) Gibraltar is not covered by the Commission’s decision and is not deemed adequate by the Commission. This is despite the UK government confirming to UK businesses that transfers of personal to Gibraltar from the UK are permitted.

Data flows safe for now, but future uncertain

The adequacy decision by the Commission in respect of the UK will be subject to review after four years and contains a sunset clause. Accordingly, should the UK diverge from EU standards of data protection over that period it is possible that the Commission’s decision deeming the UK adequate will not be renewed.

A more immediate concern is where existing UK data protection laws contain exemptions for both national security and immigration purposes, which, along with the bulk surveillance powers set out in the UK’s Investigatory Powers Act 2016, may constitute practices of indiscriminate surveillance, powers which the European Court of Justice has previously found to be inconsistent with the GDPR and will be subject to either a challenge by a citizen in the courts or an EU member state’s data protection authority may suspend transfers of personal data to the UK owing to its unhappiness with such surveillance.

Schrems III?

In its 2020 Schrems II judgment, the Court of Justice struck down the EU-US Privacy Shield on the basis that US surveillance law did not provide an adequate level of protection to EU citizens’ data as required by the EU’s Charter of Fundamental Rights. Schrems II, along with the pre-GDPR Schrems Icase (in which the Court of Justice struck down the EU-US Safe Harbour agreement), focused on whether surveillance by US authorities was subject to sufficient judicial oversight. The CJEU in those cases found that the safeguards put in place between the Commission and the US authorities did not provide sufficient protection for personal data.

Conclusion

The EU Commission’s adequacy decision in respect of the UK will be a significant relief to data controllers and processors operating both in the EU and UK and will provide welcome certainty – at least for the four-year duration of the adequacy decision. However, it is a case of if, rather than when, this week’s adequacy decision will be subject to a complaint to a data protection authority (such as the Irish Data Protection Commission) or a challenge in a member state’s courts, which will invariably result in a preliminary reference to the Court of Justice in Luxembourg. In such circumstances, it is possible that the adequacy decision adopted by the Commission in respect of the UK could be struck down. In that scenario, standard contractual clauses for data transfers to the UK may yet be necessary.

Data controllers and processors can, however, take comfort in the fact that any challenge to the Commission’s adequacy decision will be well flagged in advance and there is minimal risk of the decision on Monday being struck down by the courts in the short term.