The European Commission has adopted two adequacy decisions for the UK – one under the GDPR and the other for the Law Enforcement Directive. The decisions mean that personal data can continue to flow freely from the EU to the UK where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. The adequacy decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information, for example for cooperation on judicial matters.
However, it is worth noting that the adequacy decisions include safeguards in case of UK law diverges from EU law. These include a ‘sunset clause’, which limits the duration of adequacy to four years.
The key elements of the adequacy decisions are described below:
- The UK’s data protection system continues to be based on the same rules that applied when the UK was an EU member state. The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
- Regarding access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards. In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to what it intends to achieve. Any person who believes they have been the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal. The UK is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is the only binding international treaty in the area of data protection. These international commitments are an essential elements of the legal framework assessed in the two adequacy decisions.
- However, the adequacy decisions include a so-called ‘sunset clause’, which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, but only if the UK continues to ensure an adequate level of data protection. During the next four years, the European Commission will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. If the Commission decides to renew the adequacy finding, the adoption process would start again. Given the TIGGR report, it is not entirely unfeasible that UK law could diverge over the next four years.
- Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR. This reflects the recent judgment of the Court of Appeal in The Open Rights Group & Anor, R (On the Application Of) v The Secretary of State for the Home Department & Anor [2021] EWCA Civ 800 about the validity and interpretation of certain restrictions of data protection rights in this area. The Commission will reassess the need for this exclusion once the situation has been remedied under UK law.
The UK government has updated its guidance on data flows to reflect the adequacy decision.