Data protection alert: just in time: European Commission adopts adequacy decisions for the UK

The United Kingdom left the European Union formally and effectively on 31 January 2020, which makes the UK a “third country” under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED). This means that the UK is a country outside of the EEA where restrictions apply with regard to the international transfers of personal data. Transfers of personal data, according to the LED and the GDPR, are only allowed (i) in the event that the third country benefits from an adequacy decisions or has appropriate safeguards (for example the standard contractual clauses) in place, or (ii) if one of the exceptions of article 49 GDPR are taken into account (such as the explicit consent of the data subject after being informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards).

Despite its classification as a third country, as of 1 January 2021 transfers of personal data from the EU to the UK were governed by the EU-UK Trade and Cooperation Agreement (TCA), agreed between the EU and the UK. This agreement secured an interim period of six months (the so-called “bridging clause”) that ensured the full continuity of data flows between the EEA and the UK, with no need for companies or public authorities to put in place any other transfer tool under the GDPR or the LED. There was thus no need for any additional safeguards until 30 June 2021.

On 28 June 2021, the European Commission adopted two adequacy decisions for transfers of personal data to the UK, under GDPR and LED, which allow personal data to continue to flow freely from the EEA to the UK without the need to obtain any further authorization, as provided for in article 45 (1) GDPR. Transfers for purposes of UK immigration control are, however, excluded from the scope of the adequacy decisions, since data subject rights can, in principle, be restricted for immigration control purposes as ‘an important aspect of the public interest’ (“the immigration exemption”). This immigration exemption has been found incompatible with UK law by the Court of Appeal, as the measure lacks specific provisions setting out the safeguards listed in the UK GDPR, which is based on EU legislation mirroring many aspects of the GDPR.

Important to note is that the European Commission will renew the UK adequacy decision after four years if the UK continues to ensure an adequate level of data protection. This means that the adequacy decision will automatically expire on 27 June 2025, unless it is renewed explicitly by the European Commission.

In order to assess whether the UK continues to ensure an adequate level of protection, the European Commission shall continuously monitor the UK with regard to the application of the legal framework upon which the adequacy decision is based, including the conditions under which onward transfers are carried out, individuals rights are exercised and UK public authorities have access to data transferred on the basis of the adequacy decision.