On June 28, 2021, the European Commission adopted two decisions finding that the UK’s data protection regime provides an “adequate” level of protection for personal data transferred to the UK from the EU. The first decision covers transfers governed by the GDPR, and permits private companies located in the EU to continue to transfer personal data to the UK without the need for additional arrangements (such as the Commission’s new Standard Contractual Clauses (“SCCs”), which we discuss here). The second decision covers transfers under the Data Protection and Law Enforcement Directive, and permits EU law enforcement agencies to continue to transfer personal data to their counterparts in the UK.
These decisions arrived just two days before the expiration of the so-called “adequacy bridge,” which permitted the free flow of personal data from the EU to the UK (without the need for SCCs or other safeguards) for up to six months following the UK’s departure from the EU.
The substance of the decisions is similar to that set out in the draft decisions published by the Commission in February (our post outlining the principal findings in the draft decisions is available here), with one substantial change. The scope of the GDPR decision has been limited so that it does not cover transfers of personal data for all purposes. Specifically, it does not cover personal data that is transferred to the UK “for United Kingdom immigration control purposes” or that is otherwise subject to the so-called “immigration exemption” under Schedule 2, para. 4(1) of the UK Data Protection Act 2018.
This provision of the UK statute exempts data controllers from the requirement to honor certain data subjects’ rights (e.g., the right of access to data or erasure of data) where the data is processed to maintain effective immigration control or detect activities that would undermine the effectiveness of that control and the exercise of such rights would undermine that purpose. The Court of Appeal of England and Wales recently held that this provision does not satisfy requirements arising under UK law for such exemptions, and it remains unclear whether the UK Government will amend the Data Protection Act in response to the judgment. This leaves uncertainty about the extent to which entities in the EU can transfer data to the UK for this purpose—depending on the construction of the exemption, it might even limit the extent to which EU companies wishing to relocate employees to the UK can share those employees’ data. The Commission leaves it open, however, to revisit the scope of the decision if the UK Government does address the Court of Appeal’s concerns.
Following the adoption of the UK adequacy decision, as noted above, private companies and law enforcement agencies in the EU will continue to be able to transfer personal data to the UK without implementing additional transfer safeguards. Importantly, unlike transfers based on the SCCs, which supervisory authorities can order companies to suspend if they deem it appropriate, only the CJEU has competence to invalidate this decision (pursuant to its ruling in Schrems I). This should give companies greater certainty that transfers of personal data from the EU to the UK will remain permitted by law, although legal challenges to the Commission’s decision, similar to prior challenges to the Safe Harbor and Privacy Shield decisions, remain possible.
In addition, the controversial “sunset clause” remains, meaning that the adequacy determination will lapse unless, following a future assessment, the Commission renews its adequacy determination. To that end, the Commission mentions that it “will closely monitor the situation [to] assess whether the different transfer mechanisms are used in a way that ensures the continuity of protection,” but adds that “as the EU and the United Kingdom share similar rules on international transfers, it is expected that problematic divergence could also be avoided through cooperation, exchange of information and sharing of experience, including between the ICO and the EDPB.” The UK Government previously has expressed its desire to potentially explore other approaches to international data transfers, which could create friction with the EU and place a strain on the UK’s adequacy determination in the future.