In this article, Lorna Bolton, Director of Commercial & IP at law firm Greenaway Scott (part of the GS Verde Group), explains the background to the new adequacy decisions, what their adoption means for your business and provides some thoughts for the future.
On 28 June 2021 the European Commission (Commission) adopted two adequacy decisions in respect of transfers of personal data from the EU/EEA to the UK (Adoption). The Adoption is a significant step on a long road over recent years concerning transfers of personal data. Indeed, many organisations in the UK and EU/EEA welcome the Adoption as it brings an end to the recent uncertainty around transfers of personal data from the EEA/EU to the UK.
However, whilst the Adoption is a positive step, it is time limited and is likely not immune from legal challenges. Therefore, as a business in the UK receiving personal data from the EU/EEA, it is prudent to understand the significance of the Adoption and potential future developments in this area.
When the UK was a member of the EU, the GDPR applied to the UK and all other member states. The UK then of course departed from the EU. The EU Withdrawal Act 2018 functioned to take a snapshot' of all EU law as it existed on the day the UK departed from the EU on 31 December 2020 (at 11:00 pm) and retain the same in UK law as retained EU law. This retained EU law includes the GDPR, which is now known as the UK GDPR to distinguish it from the original GDPR, now referred to as the EU GDPR.
Under the EU GDPR, transfers of personal data from the EU/EEA to a 'third country' which now includes the UK as it is no longer a member of the UK are only lawful if:
1. the Commission has issued an appropriate adequacy decision in respect of the third country;
2. 'Appropriate Safeguards' (as defined under the EU GDPR) are in place. There are several 'Appropriate Safeguards including Binding Corporate Rules and Standard Contractual Clauses issued by the EU Commission; or
3. one of a number of quite specific and narrow exemptions under the EU GDPR is relied upon However, most of the time such exemptions are commercially impractical to rely upon.
Prior to the end of the transition period on 31 December 2020, the UK passed laws automatically recognising members of the EU and EEA as adequate in respect of data protection meaning UK businesses could continue transferring personal data to the EU/EEA unhindered as if the UK was still a member state of the EU.
On 24 December 2020 the EU and the UK entered into a Trade and Co-operation Agreement (the Agreement). The Agreement created a bridging period extendable to 30 June 2021 during which transfers of personal data from the EEA/EU to the UK were deemed adequate under the EU GDPR (Bridging Period) so as to avoid disruption to businesses at the end of the transition period.
So, after expiry of the Bridging Period UK businesses would either need a suitable adequacy decision issued by the EU or they would need to implement 'Appropriate Safeguards' or rely on a specific exemption under the EU GDPR in order to continue transferring personal data from the EU/EEA.
WHAT DO THE ADEQUACY DECISIONS MEAN FOR MY BUSINESS?
If your business relies upon transfers of personal data from the EEA/EU to the UK, then hopefully it will mean saving a substantial amount of time and money!
If the adequacy decision had not been issued by the Commission before expiry of the Bridging Period, then unless your business was able to rely upon Binding Corporate Rules already in place, it would have had to incur time and cost auditing its cross-border data transfers from the EEA/EU and implementing another 'Appropriate Safeguard' under the EU GDPR unless it was able to rely on the above mentioned narrow exemptions. The most likely 'Adequate Safeguard' your business would have chosen to implement would be entering into Standard Contractual Clauses issued by the Commission with the business(es) or individual(s) transferring personal data from the EEA/EU. In addition to putting this paperwork in place, you may have been asked to assist such business(es) or individual(s) in completing an assessment of UK data protection laws required by a judgment of the CJEU colloquially called Schrems II which supplements the EU GDPR.
Fortunately the Adoption means that for the moment your business can avoid all of that, and personal data transfers from the EEA/EU can continue unhindered!
THOUGHTS FOR THE FUTURE
First, the adequacy decisions will be subject to review after four years and contain a sunset clause. This means if the UK diverges too much from the EU's data protection standards over the next four years, one or both adequacy decisions may not be renewed.
Second, some commentators think it is only a matter of time before one or both adequacy decisions are challenged by an EU citizen in an EU court. This could result in a supervisory authority in an EU member state or the EEA suspending transfers of personal data from it to the UK or a reference to the EU's highest court, the CJEU, which could strike down one or both adequacy decisions altogether.
Third, the Adoption wasn't without bumps. In its resolution adopted 01 June 2021, the European Parliament noted 'a high level of indiscriminate surveillance' by UK authorities. Presumably the Parliament was referring to exemptions in UK data protection laws for national security and immigration purposes and bulk surveillance powers in the Investigatory Powers Act 2016. However, by making the Adoption the Commission has decided that as it stands the UK has sufficient safeguards to protect EU citizens' data protection rights. These exemptions are linked to the second point above in that, in the view of some commentators, if the CJEU were to review them as part of a reference to it by an EU citizen, it could persuade the CJEU to strike out the Adoption.
HOW CAN GREENAWAY SCOTT HELP?
Greenaway Scott's Commercial solicitors are experienced in advising a range of clients on many aspects of data protection in relation to commercial contracts and corporate transactions. If your business needs assistance in relation to transfers of personal data or data protection generally, please contact: LBolton@greenawayscott.com.
Lorna Bolton, Director of Commercial & IP, Greenaway Scott
Greenaway Scott is part of the GS Verde Group, a corporate finance led deal-making group.