But European Commission warns adequacy could be revoked ‘immediately’
What is the EU adequacy decision?
The EU adequacy decision is a legal instrument issued by the European Commission that determines whether a non-European Union (EU) country or territory provides an adequate level of data protection to enable the free flow of personal data from the EU member states to that country.When the European Commission issues an adequacy decision, it means that the EU considers the non-EU country’s data protection framework as providing an adequate level of protection for personal data. This enables the transfer of personal data from the EU to that country without the need for additional safeguards or contractual arrangements.
It’s important to note that the EU adequacy decision is subject to periodic review to ensure that the non-EU country continues to maintain an adequate level of data protection. If the European Commission determines that the country no longer meets the required standards, the adequacy decision can be repealed or suspended, necessitating the implementation of appropriate safeguards for data transfers.
Does the UK have adequacy for GDPR?
Yes, the United Kingdom has been granted adequacy status for the General Data Protection Regulation (GDPR) by the European Union. On June 28, 2021, the European Commission adopted an adequacy decision confirming that the UK’s data protection framework provides an adequate level of protection for personal data transfers from the EU to the UK.
United Kingdom adequacy decision
The UK has adequate standards of data protection, the EU Commission ruled yesterday, allowing businesses to breathe a sigh of relief. This decision means that data can continue to flow between the UK and EU, despite the UK now being a ‘third country’. Several other countries including Uruguay, Canada and New Zealand are considered to have adequate standards of data protection by the EU. Without an adequacy decision, data flows between the UK and EU would have been severely disrupted, requiring a wholesale review of clauses and contracts to ensure data could be transferred as it is now between the EU and third countries such as South Africa, India and China.
While the adequacy decision has been adopted for four years, Didier Reynders, the European commissioner in charge of data protection, said the adequacy decision could be withdrawn “immediately” if the commission had serious concerns.
The UK receiving an adequacy decision from the EU is important because the free flow of personal data supports trade, innovation and investment, assists with law enforcement agencies tackling crime, and supports the delivery of critical public services sharing personal data as well as facilitating health and scientific research.
It is worthy to note that the Commission’s press release on the subject includes a warning to the UK that if it erodes EU citizen’s rights, it “will intervene”. This is on top of the fact the adequacy decision is only for four years, while for other countries there is no such time limit. The EU is clearly concerned with signals coming from Westminster of attempts to potentially diverge from the EU’s established GDPR regime, and plans to appoint a new information commissioner who has a more flexible approach to privacy over economic and social benefits of sharing data.
The minister responsible, Oliver Dowden, has often talked of making room for the UK to rewrite some data protection rules, saying previously: “we do not need to copy and paste the EU’s rule book, the General Data Protection Regulation, word-for-word”.
Nor is the adequacy decision shielded from possible legal challenge. The Court of Justice of the European Union has already twice struck down the privacy shield with the United States, and they would not likely blink at overturning the UK’s adequacy decision if it infringed on the rights GDPR is set to protect.
One of the key reasons for the adequacy decision now is that the UK’s system is still fundamentally based on EU rules. Despite Oliver Dowden not wanting to “copy and paste” rulebooks, that’s essentially what the UK did to GDPR after Brexit, reimagining the rules as UK GDPR alongside the UK’s 2018 Data Protection Act.
Also acting in the UK’s favour is remaining subject to the jurisdiction of the European Court of Human Rights, a non-EU body tasked with upholding the European Convention on Human Rights, which also provides international treaty-level data protection. A move away from the Strasbourg court’s decisions having an influence on British law could similarly be cause for concern in the Commission.
The difficulties might come in 2025, when the adequacy decision is reassessed. If the UK is seen to have diverged too greatly from the EU’s version of GDPR, this might throw into question the renewal of adequacy. While for now, businesses can breathe a sigh of relief, in four years’ time, we might have to hold our breaths again.