On June 28, 2021, the European Commission adopted two decisions finding that the UK’s data protection regime provides an “adequate” level of protection for personal data transferred to the UK from the EU.  The first decision covers transfers governed by the GDPR, and permits private companies located in the EU to continue to transfer personal data to the UK without the need for additional arrangements (such as the Commission’s new Standard Contractual Clauses (“SCCs”), which we discuss here).  The second decision covers transfers under the Data Protection and Law Enforcement Directive, and permits EU law enforcement agencies to continue to transfer personal data to their counterparts in the UK.

These decisions arrived just two days before the expiration of the so-called “adequacy bridge,” which permitted the free flow of personal data from the EU to the UK (without the need for SCCs or other safeguards) for up to six months following the UK’s departure from the EU.

The substance of the decisions is similar to that set out in the draft decisions published by the Commission in February (our post outlining the principal findings in the draft decisions is available here), with one substantial change.  The scope of the GDPR decision has been limited so that it does not cover transfers of personal data for all purposes.  Specifically, it does not cover personal data that is transferred to the UK “for United Kingdom immigration control purposes” or that is otherwise subject to the so-called “immigration exemption” under Schedule 2, para. 4(1) of the UK Data Protection Act 2018.

This provision of the UK statute exempts data controllers from the requirement to honor certain data subjects’ rights (e.g., the right of access to data or erasure of data) where the data is processed to maintain effective immigration control or detect activities that would undermine the effectiveness of that control and the exercise of such rights would undermine that purpose.  The Court of Appeal of England and Wales recently held that this provision does not satisfy requirements arising under UK law for such exemptions, and it remains unclear whether the UK Government will amend the Data Protection Act in response to the judgment.  This leaves uncertainty about the extent to which entities in the EU can transfer data to the UK for this purpose—depending on the construction of the exemption, it might even limit the extent to which EU companies wishing to relocate employees to the UK can share those employees’ data.  The Commission leaves it open, however, to revisit the scope of the decision if the UK Government does address the Court of Appeal’s concerns.

Following the adoption of the UK adequacy decision, as noted above, private companies and law enforcement agencies in the EU will continue to be able to transfer personal data to the UK without implementing additional transfer safeguards.  Importantly, unlike transfers based on the SCCs, which supervisory authorities can order companies to suspend if they deem it appropriate, only the CJEU has competence to invalidate this decision (pursuant to its ruling in Schrems I).  This should give companies greater certainty that transfers of personal data from the EU to the UK will remain permitted by law, although legal challenges to the Commission’s decision, similar to prior challenges to the Safe Harbor and Privacy Shield decisions, remain possible.

In addition, the controversial “sunset clause” remains, meaning that the adequacy determination will lapse unless, following a future assessment, the Commission renews its adequacy determination.  To that end, the Commission mentions that it “will closely monitor the situation [to] assess whether the different transfer mechanisms are used in a way that ensures the continuity of protection,” but adds that “as the EU and the United Kingdom share similar rules on international transfers, it is expected that problematic divergence could also be avoided through cooperation, exchange of information and sharing of experience, including between the ICO and the EDPB.”  The UK Government previously has expressed its desire to potentially explore other approaches to international data transfers, which could create friction with the EU and place a strain on the UK’s adequacy determination in the future.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.