Let the bells ring out, it’s Adequacy Day! 28 June 2021 and the European Commission formally adopted two adequacy decisions in favour of the UK – one under EU GDPR and one under the EU Law Enforcement Directive. It’s the EU GDPR one we’re most excited about – though it’s not without its wrinkles. Let’s dive in!
There’s never been a dull moment with GDPR. We’ll track through the main events and then look at a couple of oddities on the UK Adequacy Decision.
23 June 2016, and the UK voted to leave the European Union. We all learnt the word Brexit. Which clearly meant Brexit.
Under the EU GDPR, which had entered the statute books just months previously, that meant the UK would become a ‘third country’ on Brexit and no personal data could go from the EEA to the UK without an adequacy decision in place, or the correct use of a safeguard such as the EU Standard Contractual Clauses (SCCs).
Surely there was lots of time to sort out an adequacy decision? The UK was part of the EU for decades, the EU GDPR would apply directly in the UK until Brexit, how hard could it be?
25 May 2018, and the EU GDPR applies across the EU, including the UK (which must have annoyed some people no end).
29 March 2019, the date the UK was going to leave the EU, and there was no chance of an adequacy decision in favour of the UK in time. Many were scrambling to put in place SCCs. But the EU were going to be revising them shortly and who wanted to use the old ones? Many others decided that the ‘powers that be’ wouldn’t put the huge trade that relied on data transfers at risk, and waited.
‘Exit Day’ got extended on 20 March 2019, just 9 days before the deadline, to 30 June 2019 (setting a very annoying tradition of leaving things to the last minute) and then extended again to 31 October 2019 .
The ‘New Withdrawal Agreement‘ passed on 17 October 2019 and it was clear the EU GDPR would be adopted as the UK GDPR after Brexit – which made lots of people happy as surely, surely, if the UK had the same law then adequacy was guaranteed? And the UK even pre-emptively decided that the EEA was adequate under UK GDPR.
However 31 October 2019, Exit Day, was fast approaching and there was no sniff of an adequacy decision process even starting. As you can guess, it got extended again, on 28 October 2019, just 3 days before the deadline. Privacy pros by this time were in a Groundhog Day situation, the new Groundhog Day being 31 January 2020.
Hopes for another extension were (most likely) dashed when, in December 2019, ‘Britain Trump’ (or ‘Boris Johnson’) won a landslide election and vowed to ‘get Brexit done’ on 31 January 2020. The long-drawn-out negotiations and long-simmering emotions were casting a distinctly ambiguous shadow over any chance of an adequacy decision.
On 31 January 2020, the UK left the EU! Well, it did technically although there was a transition period until 31 December 2020 where, for EU GDPR and various other purposes, the UK was still deemed to be in the EU. Which happily meant there was no transfer when personal data went from the EEA to the UK, so no need for an adequacy decision or SCCs.
But then the Privacy world was shaken to the core on 16 July 2020, when the Court of Justice of the EU (CJEU) gave a decision that was well within the bounds of possibilities and struck down the adequacy decision for transfers of personal data from the EU to the USA: Privacy Shield failed in the case known as Schrems II.
The core reasons were the US surveillance laws that allowed state access to personal data beyond what was necessary and proportionate, and the lack of redress for those covered by EU GDPR who had their personal data accessed in this way. Many drew a line from the US legal provisions to the UK’s surveillance laws.
Cue a frenetic period of LinkedIn debate and heightened stress for Privacy pros because…
if there was no adequacy decision (which now faced some strong headwinds) because of the UK surveillance laws then, according to Schrems II, even SCCs may not work for transfers to the UK
While we all discussed Schrems II, August passed and suddenly we were in December with no news or expectations of an adequacy decision. This was it. Boris wasn’t going to extend the deadline. The old SCCs were scrappy, and they may not pass the Schrems test, but what was a Privacy pro to do?
Then true to form, just days before the extended, extended, extended transition period ended, as Privacy pros were doing last-minute shopping, the UK and the EU entered into a Trade and Cooperation Agreement on 24 December 2020 (TCA). Among other things, the TCA extended the period where the UK was effectively deemed part of the EU (so no transfer) for just 4 months, extendable to 6 months – and by now, we all knew how that was going to play out. We now had until 30 June 2021.
But there was good news on the adequacy decision – it was even mentioned in the TCA, which had clauses restricting the UK’s ability to change its Data Protection Law regime without the EU’s approval (which, again, must have really annoyed some people).
But Britain Trump and his merry Ministers were starting to say all the wrong things about post-Brexit trade deals and the UK granting adequacy decisions of its own under UK GDPR.
This part of the story stayed true to form, with:
of course, just 2 days before the end of the TCA transition period, on 28 June 2021, the EC formally adopted the two adequacy decisions!
Oh yes. As part of the official announcement, Věra Jourová, Vice-President for Values and Transparency, said:
‘The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today. At the same time, we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.’
Europe put in place two safeguards, which are not uncontroversial in themselves.
First, the UK Adequacy Decisions are the first to have a ‘sunset clause’, meaning they automatically expire after four years. They ‘might be renewed, however, only if the UK continues to ensure an adequate level of data protection’.
Second, transfers ‘for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR’, which reflected a May 2021 Court of Appeal judgment that the immigration exemptions in the DPA 2018 were contrary to GDPR. The EC will keep this exception under review while the impact of the CA decision works its way through.
Will we see a Schrems III and, if so, when? Schrems II confirmed (paras 117 and 118 below), regulators have to comply with adequacy decisions.
While individuals can challenge adequacy decisions, and the cases can wind their way to the CJEU as happened with Schrems I and Schrems II, it’s not a fast process. The UK likely has time to address surveillance better, and follow up on the CA decision on the immigration exemption – but that 4 years will fly by.
See how Keepabl helped Cannacord Genuity with their Privacy Framework.
Robert Baugh of Keepabl is a leading expert on GDPR and a consultant to companies where data protection and the management of confidential and sensitive data is paramount. Only two…