EC’s Adequacy Decision Approves International Data Transfers to the UK
The European Commission’s latest verdict ascertains that data transfer isn’t added to the list of exchanges Brexit has disrupted.
On June 28, 2021, Europe’s top court adopted two key “adequacy” decisions for the United Kingdom—ensuring the legitimization of the flow of data from the EU under the terms of the General Data Protection Regulation.
This means that the personal data of EU citizens can flow freely towards and from the UK in the post-Brexit landscape. Organisations operating in the EU can continue the transfer of data sans restrictions and without the need to rely upon data transfer mechanisms enforced by the EC—including the Standard Contractual Clauses for EU. This can also be construed as a nod to the UK’s data privacy measures—since the resolution concurs that the UK’s data protection framework is along similar lines to that of the EU.
The “adequacy” status ruling comes as a sigh of relief for many retail investors in the UK and EU alike as the decision was a prerequisite for data transfers to be considered legal.
The EC’s decision professes its confidence in the UK’s incorporation of the European Union’s stringent data privacy principles set forth by the GDPR and is a nod to its propensity to provide robust safeguards to personal data.
There are, however, notable exceptions in matters of national security and immigration. While the current UK legislation allows for the access of bulk data without a citizen being a person of interest in a criminal case, the EC has found the practice to be inconsistent with the General Data Protection Regulation. This means that while the law enforcement in EC member states cannot access an individual’s private data unless the said individual is under suspicion for perpetrating a crime—there is no legal framework that prevents the law enforcement from accessing the data in the UK.
The adequacy agreement ratified by the EC will remain in effect for four years—following which it will be subject to a review—extended only if the level of data protection in the UK remains acceptable throughout the term. As per the discretion of the EC, the agreement can be revoked at any point of time. At the end of the four-year term, the adequacy of the UK must be reaffirmed by the Commission in any case for the agreement to remain in effect.
“We have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework,” said Věra Jourová, Vice-President for Values and Transparency, in a press statement.
“We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.”
Since the end of the Brexit transition period, the UK’s data processing regime has been governed by the Data Protection Act, 2018 and the UK GDPR—legal frameworks that are derived from the EU GDPR and the European Law Enforcement Directive.
As a signatory to the Convention 108, the UK remains subject to the jurisdiction of the European legislative bodies—including the European Court of Human Rights and Convention, as observed by the commission.
Abhinav Raj is a political correspondent for the Immigration Advice Service, a UK-based organization of immigration solicitors that provides Indefinite Leave to Remain (ILR) services, Visa assistance for prospective migrants and pro-bono legal counsel.