22 March 2021

A Step Closer to Adequacy

By Faye Cheung, Researcher

The European Commission (EC) has published its eagerly awaited draft adequacy decision regarding transfers of personal data from the EEA (European Economic Area) to the United Kingdom.[1] The draft decision concludes that the UK provides an adequate level of protection for personal data coming from the EEA. This is of great importance because if the decision is adopted then personal data can continue to flow freely between the EEA and the UK.

Key Points

One of the factors considered by the EC when assessing adequacy is a country’s respect for human rights and fundamental freedoms. It is for this reason that the draft decision looks at the constitutional framework of the UK as a whole, as well as its data protection framework. The UK’s Human Rights Act 1998 is key to the draft decision because it incorporates the rights contained in the European Convention on Human Rights including the right to respect for private and family life. This right to respect for private and family life includes the right to data protection. In terms of the UK’s specific legislative data protection framework, UK legislation consists of the UK GDPR and the Data Protection Act 2018. As the UK GDPR is based on the EU GDPR, the rules within the UK are very similar to EU rules. This means that the UK was at a very good position at the start of the adequacy determination process compared to other countries currently going through the adequacy process.

Another main area of focus of the draft decision is the way in which public authorities in the UK can access and use personal data from the EEA. This is an especially sensitive area in the wake of the Schrems saga, which looked at how the US National Security Agency’s surveillance programme had direct access to data held by Google, Facebook, Apple and others.[2] The draft decision addresses incidents of concern involving public authorities in the UK but concludes that adequacy is achieved through mechanisms such as the UK’s adherence to the European Convention of Human Rights[3] and through the UK’s Data Protection Act 2018, which provides specific safeguards for data that is processed by public authorities.[4]

The role of the Information Commissioner’s Office is also identified as an essential feature of adequacy because of its enforcement powers and its power to give means for redress for data subjects.

The draft decision supports adequacy but it does express some concern over the future of data protection in the UK now that the UK is not bound by EU privacy law. If the adequacy decision is adopted then the European Commission will monitor the UK on an ongoing basis to look for any ‘material change’ to the data protection framework in the UK as well as any ‘evolution in practices’ related to processing personal data from the EU.[5]

What next?

The European Commission is now awaiting an opinion from the European Data Protection Board (EDPB) and then for approval from EU member states. In the meantime, personal data can continue to flow freely from the European Economic Area into the UK under the EU-UK Trade and Cooperation Agreement until 30 June 2021, unless the adequacy decision is adopted sooner.

The draft decision can be read by clicking here.

This article was first published on Forum Business Media’s GDPR online resource https://www.gdprorb.co.uk/content-partners

[1] https://ec.europa.eu/commission/presscorner/detail/en/ip_21_661

[2] https://www.theguardian.com/technology/2020/jul/16/the-background-to-eu-citizens-court-win-over-us-tech-giants

[3] Paragraph 120

[4] Paragraph 121

[5] Paragraph 275

Disclaimer: The material in this blog post is for general information only and is not legal advice. Always consult a qualified lawyer about a specific legal problem.