On February 19, the European Commission (EC) published the draft of its much hoped-for adequacy decision for transfers of personal data to the UK under the EU General Data Protection Regulation (EU GDPR) (Draft Adequacy Decision). On the same date, the EC also published the draft of its adequacy decision for transfers of personal data to the UK under the Law Enforcement Directive (LED).
The Draft Adequacy Decision has been published two months after the EU and the UK concluded, on December 24, 2020, the Trade and Cooperation Agreement setting out the framework for the EU-UK relationship after the end of the Brexit transition period on December 31, 2020. Under the Trade and Cooperation Agreement, effective from January 1, 2021, transfers of personal data from the EU to the UK are not considered as transfers to a “third country” under EU law for a “bridging period” ending, at the latest, on June 30, 2021.
In practice, this means that the EU has a timeframe of six months to decide whether the UK is to be regarded as an adequate jurisdiction for transfers of personal data from EU Member States, in which case the free flow of personal data will continue at the end of the “bridging period” without the need to implement transfer mechanisms like Standard Contractual Clauses or Binding Corporate Rules. Therefore, although this is by no means the end of the process, the significance of the publication of the Draft Adequacy Decision cannot be underestimated.
Key findings of the Draft Adequacy Decision
The assessment under the Draft Adequacy Decision to determine whether the UK ensures an “essentially equivalent” level of protection to that afforded in the EU covers a detailed analysis of the UK data protection legal framework and the rules applicable to government access to personal data.
UK data protection legal framework
Since the end of the Brexit transition period, the data protection legal framework in the UK consists of the following:
- The UK GDPR, which is the EU GDPR (including recitals), as it forms part of the retained EU law and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Exit Regulations) to accommodate Brexit (such as by replacing references to the EU or Member States with the UK, or to a supervisory authority with the Information Commissioner’s Office (ICO)).
- The Data Protection Act 2018 (DPA), also as amended by the Exit Regulations.
- The secondary legislation which may be adopted by the Secretary of State to amend provisions of the DPA or to set out additional rules (e.g. payment of data protection fee).
- The codes of practice and guidance adopted by the ICO.
- International instruments regarding personal data which the UK adheres to, namely, the European Convention of Human Rights (ECHR) and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).
The adequacy analysis of the UK data protection legal framework is essentially a comparison between the EU and the UK frameworks focusing on the following aspects:
- Material and territorial scope.
- Definitions of personal data and concepts of controller and processors.
- Safeguards, rights and obligations.
- Oversight and enforcement.
Throughout the comparison exercise, the Draft Adequacy Decision consistently takes the view that the UK data protection legal framework closely mirrors the one in the EU. There is one area which the EC looks into very carefully: the restriction to individual rights and other provisions under the immigration exemption and for the purpose of safeguarding national security or for defence purposes. However, given that the exemptions are subject to a number of strict conditions and can only be invoked on a case-by-case basis, the EC takes the view that they are unlikely to compromise the level of protection afforded in the UK.
UK government access regime
The Draft Adequacy Decision devotes 53 pages to analysing the UK legal framework governing the potential access and use by UK public authorities of personal data transferred from the EU (UK government access regime), and assessing whether this framework meets the standard required under the EU GDPR and relevant Court of Justice of the European Union (CJEU) case-law. The EC assesses in particular whether the limitations placed on the right to the protection of personal data by the UK government access regime meet the following three criteria:
- They are prescribed by a law which clearly defines the scope and application of the limitations.
- The law imposes minimum safeguards, including specification of the circumstances and conditions under which interference can occur, and independent oversight.
- The law is legally binding and enforceable against the authorities, and allows data subjects to take legal action to exercise their data protection rights.
The comprehensive analysis makes several key findings:
- The UK government access regime is framed by the UK’s membership of the Council of Europe, adherence to the ECHR, and submission to the jurisdiction of the European Court of Human Rights (ECtHR). These require the UK to apply similar principles, safeguards and rights to government access as are required under EU law. The EC stresses that continued adherence to these instruments is a “particularly important” element of its assessment.
- Laws which (i) require telecommunications operators to retain communications data, and (ii) enable public authorities to automatically analyse that retained data in order to identify potentially relevant information, are a particularly sensitive area which have come under repeated scrutiny by the CJEU. Most recently in La Quadrature du Net, the court laid down precise rules regarding the permitted scope and purposes of such requirements under EU law. However, the EC observes (at recitals 196 and 225) that the UK government access regime in these areas relates to data collected in the UK and relating to individuals in the UK. These laws therefore do not affect the level of protection of personal data transferred from the EU, and are therefore technically out of scope for the purpose of the Draft Adequacy Decision.
- The Draft Adequacy Decision also deals at length with the UK-US Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime (UK-US Agreement). The Commission notes that the UK-US Agreement requires that all personal data transferred is subject to “equivalent protections” to those provided under the EU-US Umbrella Agreement, and that UK authorities have confirmed they will not allow the UK-US Agreement to come into force until they have clarity on how this obligation will be complied with.
The EC concludes that the UK government access regime meets the identified criteria and therefore satisfies the standard required under the EU GDPR and relevant CJEU case-law.
As a side-note, the Draft Adequacy Decision, and in particular the three criteria it identifies as relevant to its assessment of the UK government access regime above, may prove a helpful precedent for organisations who, following the Schrems II decision, are required to make their own assessments of local laws relating to access by public authorities before transferring personal data outside the EEA.
The Draft Adequacy Decision is long, dense, and very detailed. Its focus on the UK government access regime seems designed to pre-empt any concerns that could be raised by the European Data Protection Board (EDPB) and other Member States for its final adoption, in particular in light of the Schrems II and La Quadrature du Net decisions.
The EC emphasizes that, the UK being a former EU Member State, it has been complying with the EU legal framework, standards and legal culture for years. This is reflected in the UK’s current legal framework, and helps ensure an equivalent level of protection for personal data. All these elements give reason to be optimistic that the Draft Adequacy Decision for the UK will be finally adopted, satisfying expectations of businesses within both the UK and the EU.
Since particular emphasis is placed on the UK’s adherence to international instruments regarding the protection of personal data (namely, the ECHR and Convention 108) and it submission to the jurisdiction of the ECtHR, the Draft Adequacy Decision will make it harder for the UK Government to make any changes to deviate from those international instruments as any such changes may compromise the adequacy granted.
For the EC to adopt a final adequacy decision, two additional steps are now required: the EC will need to receive a positive opinion from (i) the EDPB and (ii) a committee of representatives of EU Member States. No timeline has been provided so far for such opinions, but there will be significant pressure for the adequacy decision to be adopted before the end of the “bridging period” on June 30, 2021. The next steps will be highly scrutinised but given the depth of the EC’s assessment, UK’s adequacy seems very likely.
Once finalised, the UK adequacy decision is likely to be effective for a period of four years as of its entry into force.
Hogan Lovells - Julie Schwartz, Nick Westbrook and Paula Garcia