The EU’s UK adequacy decision should not be seen as a cast-iron permanent solution

When the UK completed its legal separation from the EU on 31 December 2020, it became a “third country” for the purposes of EU laws, including the General Data Protection Regulation (GDPR)

A consequence of this is that the free flow of data rules that apply within the European Economic Area no longer apply to the UK. To avoid a “cliff edge” on data sharing between the EEA and the UK, the EU-UK Trade Deal allows the continued transfer of personal data between the EEA and the UK on a transitional basis for up to 6 months from 1 January 2021.

Although a post-Brexit data flow crisis was averted by the trade deal, a more long-term solution is required to provide certainty and confidence to business, particularly in the digital economy, that cross-border data flow is assured.

The GDPR restrictions on data export from the EEA do not apply in respect of non-EEA countries that have been evaluated by the European Commission and found to have adequate and equivalent levels of protection for personal data to the EU data protection regime. Such an “adequacy decision” in respect of the UK would provide a more long-term solution to data flow between the EEA and the UK.

The EU issued a draft adequacy decision in respect of the UK on 19 February 2021. The adequacy decision is now subject to a non-binding opinion of the European Data Protection Board and approval of a committee composed of representatives of the EU Member States. Although it is widely expected that the adequacy decision will be formally adopted, which will allow data flows from the EEA to the UK to continue without the need for additional compliance measures, the legal mechanism underpinning the solution is not immune from future challenge and the adequacy decision should not be viewed as a cast-iron “permanent solution”.

Firstly, the adequacy decision is for an initial term of four years only, at which point it will be reviewed to ensure that the detailed conclusions reached by the European Commission remain valid. In that time, it is possible that the UK may have begun a process of divergence from EU data protection laws. Any such changes would mean that a further substantive assessment by the European Commission is required – in its adequacy decision the European Commission pre-empted this possibility by concluding that the UK will “apply and enforce a new data protection regime, no longer subject to European Law and which may be liable to evolve”.

 The legal mechanism underpinning the solution is not immune from future challenge

 The Commission also placed considerable weight on the interpretation of principles of data protection law by the UK courts – for example, in respect of restrictions to data subject rights in the context of specified types of data processing, such as that relating to the detection and prevention of crime. The attitude of the UK courts may also evolve in a “business friendly” manner over time to favour the “controller” of personal data in a manner which is unacceptable to the European Commission. There is accordingly a risk that the adequacy decision will not be renewed in four years’ time if the UK’s data protection regime, as a whole, is no longer considered to be “essentially equivalent” to the EU regime at that time.

It is also worth noting that the adequacy decision can be suspended or repealed by the European Commission prior to the end of the initial four year term if the European Commission’s ongoing monitoring obligations in respect of the UK’s data protection regime disclose unacceptable changes, at any time, which affect the legal framework on which the adequacy decision was based.

The UK has stated its policy of seeking independent international trade deals with a number of strategic partners, including the US. However, the UK will find itself in a difficult position if the free flow of personal data to such partners, forms part of the trade terms.

This would be in direct conflict with the GDPR which requires compliance measures which are GDPR-compliant to apply to all onward transfers of personal data. The European Commission notes in the adequacy decision that “the level of protection afforded to personal data transferred from the European Union […] must not be undermined by the further transfer of such data to recipients in a third country.” Any steps by the UK to set aside compliance measures relating to onward transfer of personal data from the UK to third countries in connection with trade deals will present a further risk to the validity of the adequacy decision.

Finally, another spectre on the horizon is a future legal challenge to the validity of the European Commission’s UK adequacy finding before the Court of Justice of the European Union (“CJEU”).

The precedent for this risk was established by the Schrems I and Schrems II cases, in which the CJEU invalidated adequacy decisions which the European Commission had made in respect of EEA-US data transfer mechanisms. A particular concern was US mass surveillance laws and perceived broad access to private data by intelligence agencies.

 The UK has stated its policy of seeking independent international trade deals…however, the UK will find itself in a difficult position if the free flow of personal data to such partners, forms part of the trade terms

US authorities have pointed out that the CJEU is holding the US to a higher standard than its own member states since data processing in the areas of national security is excepted from the GDPR and it is arguable that the national security measures and laws of certain EU Member States offer less protection than the corresponding US regime (particularly EU member states which permit the bulk collection of personal data for security purposes and/or do not provide for judicial oversight of intelligence collection of personal data).

Against that backdrop, now that the UK is no longer a member of the EU, there is a risk that an action could be brought before the CJEU seeking to invalidate the European Commission’s adequacy finding in respect of the UK, on the basis of the UK’s mass surveillance laws.

However, while the US may be correct in saying that the Schrems II case was not truly about a conflict of laws conundrum in the way framed by the CJEU, the scrutiny of the usage of data for national security and intelligence services by the CJEU may just be the price of not being part of the club.

Muzaffar Shah, Data Privacy Partner, Keystone Law

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox