Starting 28th June 2021, data can now freely flow between the European Union (EU) and the United Kingdom (UK). This is thanks to the adoption of two “adequacy decisions” which facilitate the seamless transmission of data between countries in the EU and the UK.
Below, we examine the two adequacy decisions for your benefit.
How Does this Policy Concern You?
Businesses and organizations in the UK can continue to receive data from the EU like it was before Brexit, as long as they are guided by the adequacy decision.
Prior to this, such businesses in the UK had to seek alternative arrangements which were mostly costly and required some ingenious navigation of regulations preventing such data transfer.
Also, under the adequacy decisions, customers and consumers of the services provided by these companies will continue to enjoy the assurance that their data will be used fairly, lawfully and transparently.
The EU restricted the flow of Data to and from the UK following the end of the Brexit Transition Period on 31 December 2020. The UK also enacted their own version of the GDPR called the Data Protection Act 2018 which replaced the GDPR.
Companies that rely on transfer of data between the UK and the EU to stay in business, made alternative arrangements which may have been costly and more difficult to manage. This included a subsisting agreement, like the UK-EU Trade Cooperation Agreement (TCA), Binding Corporate Rules, Standard Contractual Clauses which allowed for the restricted flow of data between the UK and the EU following Brexit. The TCA and other rules, however, were only going to serve as a temporary solution to the problem as it only allowed for this free flow of data for 6 months following the end of the transition period.
This solves the challenges of the data privacy/protection ecosystem post-Brexit. The two data adequacy decisions by the EU recognizes the UK’s notable data protection standard and allows for the continuation of the free flow of data between the EU and the UK.
Elements of the Adequacy Decision
Outlined below are the major factors that informed the decision of the Commission:
- The UK has fully incorporated the principles, rights, and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
- The UK system provides for strong safeguards with respect to access to personal data by public authorities in the UK, notably for national security reasons. In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body.
- Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. The Commission will reassess the need for this exclusion once the situation has been remedied under UK law.
- The Sunset Clause, which provides that the decisions will automatically expire four (4) years after their entry into force.
Essence of the Sunset Clause
This safeguard limits the validity of the decision to a period of 4 years after its adoption. If it’s found that the UK continues to ensure an adequate level of data protection, the adequacy findings might be renewed.
However, during these four years, the Commission will continue to monitor the legal situation in the UK and if the UK deviates from the level of protection currently in place, the Commission could intervene. Should the Commission decide to renew the adequacy finding after the 4-year duration, the adoption process would start all over.
The Sunset Clause and the UK Immigration Control limitations, however, qualifies the decision, requiring the UK’s data policies to develop in line with the principles and standards of the EUs GDPR. If this is not the case, then the adequacy decision adopted by the European Commission will be rescinded upon review at the expiration of the 4-year period.