By entering into a Trade and Cooperation Agreement, the EU and the United Kingdom averted a “no deal” Brexit at the last second and established a provisional legal foundation until 30 June 2021 for data transfers to the United Kingdom (for more background, please see: Data protection implications since January 1, 2021). However, no decision has been reached as yet on whether and how data transfers into the United Kingdom would be possible after the transitional period.
On 19 February 2021, the European Commission published a draft adequacy decision for the data protection level in the United Kingdom according to Art. 45(3) GDPR.
This draft acknowledges that the data protection level in the United Kingdom is comparable with that of the EU. If the draft is adopted before the transitional period ends on 30 June 2021, data transfers to the United Kingdom will continue to be possible in the future under the same conditions. In addition, companies would not have to assume any special guarantees (e.g. standard contractual clauses).
The draft has been forwarded to the European Data Protection Board (EDPB) for comment and now requires the consent of all 27 EU Member States. Until all Member States consent, the European Commission cannot accept the draft decision. For its part, the United Kingdom has decided that the EU has an equivalent data protection level, which means that, from the perspective of the UK Data Protection Act, which is largely based on the EU GDPR, companies are currently already permitted to transfer personal data from the United Kingdom into the EU.
The adequacy decision is to have a term of four years from the date on which it enters into force. During this time period, the European Commission will continually verify the data protection level in the United Kingdom. If uncertainties arise, the European Commission reserves the right to temporarily suspend or even revoke the adequacy decision.
It also remains to be seen whether an adequacy decision by the European Commission would stand up to review by the CJEU. In its “Schrems II” decision on 16 July 2020, the CJEU stated that the adequacy decision for the USA, known as the EU-US Privacy Shield, is invalid. Even though the data protection level in the United Kingdom does not currently differ in any significant way from that of the EU, questions remain in regard to access options for security and intelligence agencies. In its Case C-623-17, the CJEU decided on 6 October 2020 that the “general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies” in United Kingdom constitutes an infringement of fundamental EU rights. With this in mind, EU data protection experts have already announced their intention to have a future adequacy decision reviewed by the CJEU.
Nevertheless, putting all concerns aside, an adequacy decision for the United Kingdom would, at least initially, provide companies with legal certainty and clarity. Thus, from a practical viewpoint, the European Commission’s initiative is to be welcomed.
- Dr Daniel Rücker, LL.M., Lawyer (Rechtsanwalt) | daniel.ruecker[at]noerr.com
- Pascal Schumacher, Rechtsanwalt (Lawyer) | pascal.schumacher[at]noerr.com
- Dr Max von Schönfeld, Rechtsanwalt | Max.vonSchoenfeld[at]noerr.com
Compliments of Noerr – a member of the EACCNY.