Data Transfers: Free flow of data from EEA to UK may continue
The European Commission has published a draft adequacy decision, under EU GDPR, which paves the way for the continued free flow of personal data from the European Economic Area and the UK.
However, before the decision is adopted, we need to await an opinion from the European Data Protection Board (EDPB) and a green light from a committee of EU Member States representatives. There are still hurdles to overcome.
The draft decision states the Commission would continue to monitor relevant developments in the UK and invites the UK to inform the Commission of any material change to UK law which impacts on the legal framework of the decision.
(The EC has also published another draft decision for personal data related to law enforcement).
Why does adequacy matter?
This draft decision is significant as, outside the European Union, the UK becomes what’s termed a ‘third country’.
In the absence of an adequacy decision, in order for EU-UK data transfers to be conducted lawfully, additional measures would be required.
Where no adequacy decision exists, controllers and processors need to consider the following when transferring data from the EEA to a third country (like the UK):
- Appropriate safeguards – for example, making sure rather onerous Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are in place between the parties, or
- Exceptions for specific situations – for example, where an individual has given their explicit consent, or where the transfer is necessary to enter into or fulfil a contract with the individual.
- A Union or State international agreement – which UK does not have with the EU.
Is adequacy in any doubt?
The Commission grants adequacy to countries which are assessed to have equivalent data protection laws to those in the EU. Some may be wondering why there are any worries the UK wouldn’t be granted adequacy. After all the UK implemented GDPR into UK law; now UK GDPR.
There have been some well-founded concerns UK surveillance law might throw a spanner in the works.
This fear was heightened last Autumn when the Court of Justice of the EU (CJEU) found UK law permitting intelligence agencies to collect bulk communications data was incompatible with EU law.
This draft decision under EU GDPR however appears to accept data protection law is essentially equivalent, but we are not out of the woods yet.
Adequacy would bring a big sigh of relief!
The UK’s inclusion in the list of countries who’ve been granted adequacy, such as Israel, Argentina, New Zealand and Japan would be widely welcomed.
Robert Bond, Senior Counsel at Bristows;
“The adequacy decision will be a relief to so many organisations whether in the UK or the EU, and will ensure free flows of personal data between the EU and UK. It will be kept under review and will mean that the UK cannot diverge too far from the EU GDPR and related law such as E-Privacy.”
Thoughts echoed by Matthew Kay, Head of Data Privacy at Survitec;
“An adequacy ruling for the UK will be a welcome decision to many organisations worldwide. This will see data transported in a safe and secure manner increasing confidence and trust in the UK’s handling of personal data.”
Commenting on both draft decisions made on Friday 19 February, Information Commissioner, Elizabeth Denham said;
“The draft adequacy decisions are an important milestone in securing the continued frictionless data transfers from the EU to the UK. Today’s announcement gets us a step closer to having a clear picture for organisations processing personal data from the EU and I welcome the progress that has been made.”
What about transfers from the UK?
The rules regarding transfers from the UK to other countries broadly mirror the EU GDPR rules. So, you need to consider a) adequacy b) additional safeguards c) specific exceptions.
The UK has already declared data can freely flow from the UK to the EEA.
The UK Government now has the power to make its own adequacy decision in relation to other countries and these will be know as ‘adequacy regulations’. It has also said this will cover all adequacy decisions made by the European Commission (valid as at 31 December 2020).
What do we mean by data transfers?
In broad terms an international data transfer would occur where personal data is;
- sent from an EEA country (or UK) to a another country
- made accessible to a receiver outside the EEA (or UK)
- is shared within the same corporate group outside the EEA (or UK)
- is loaded onto a service which is available or may be accessed from outside the EEA (or UK)
It doesn’t apply to sending personal data to someone employed by your company. Equally personal data that might be electronically routed through another country, but if it’s not accessed there, is not considered to be a restricted transfer.
Are existing EU Standard Contractual Clauses valid?
The ICO has confirmed the continued use of any EU SCCs (valid as at 31 December 2020) will be permitted for both existing restricted transfers or for new ones.
The EU has drafted revised SCCs, which address the big issue of government access to data. Revision of the SCCs was urgently needed after the Schrems II ruling by the Court of Justice of the EU in July 2020.
It’s proposed there will be a 12-month transition period to allow organisations to update contracts to adopt the revised SCCs. No small task for big organisations with multiple contracts to update!
But where does this leave UK controllers and processors? Will the UK adopt or accept these new SCCs? Hopefully we will get some clarity on this from the ICO soon.
We hotly await the final decision!
Philippa Donn, February 2021
Data protection team over-stretched? Find out how we can support you with our no-nonsense, practical and flexible Privacy Manager Service or just contact us and we can arrange a convenient time for a chat.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.