European Commission proposes UK data adequacy agreement

The European Commission (EC) has indicated its willingness to offer a data adequacy agreement for the UK, subject to formal approval by EU member states.

The commission has published two draft data adequacy decisions, one under the General Data Protection Regulation (GDPR) and another under the Law Enforcement Directive (LED), to allow for the continued transfer of personal data to the UK, setting in motion the process of their formal adoption

The purpose of data adequacy decisions is to determine whether a country, or sector within a country, outside the European Union (EU) has essentially equivalent data protection standards to the bloc and therefore whether data can be shared with it.

The UK has already determined under its own rules that the EU offers an adequate level of data protection, with the draft decisions now seeking to assess whether data is still able to flow in the other direction from the EU to the UK following Brexit.

According to the decisions, the EC considers that the UK’s data protection laws “ensure a level of protection for personal data… that is essentially equivalent” under both the GDPR and LED, and that the “oversight mechanisms and redress avenues” are sufficiently strong enough to allow data subjects to exercise their rights and sanction infringements.

Both draft decisions will now be scrutinised by the European Data Protection Board (EDPB) but, because the board itself does not have power to block the decisions, they will also need sign-off from EU member states before they can be fully adopted by the EC.

Data is currently able to flow from the EU to the UK under the Trade and Cooperation Agreement signed on 24 December 2020, which provides a six-month bridging period to allow the continued flow of data while the adequacy decisions are fully assessed.   

“A flow of secure data between the EU and the UK is crucial to maintain close trade ties and cooperate effectively in the fight against crime. Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the UK after it has left the EU,” said Commissioner for Justice Didier Reynders.

“Now European data protection authorities will thoroughly examine the draft texts. EU citizens' fundamental right to data protection must never be compromised when personal data travels across the Channel. The adequacy decisions, once adopted, would ensure just that.”

If the member states agree the UK is adequate under the LED, it will mark the first time such an adequacy decision has been made under the directive, with most law enforcement data transfers from the EU currently governed by international agreements that do not take into account the standard of essential equivalence that now exists.

Twelve adequacy decisions have been made under the GDPR since it came into effect in May 2018, with Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay all being recognised as adequate jurisdictions by the EC.

In July 2020, the Court of Justice of the EU (CJEU) struck down the EU-US Privacy Shield data-sharing agreement for failing to ensure that European citizens had adequate rights of redress when data can be collected by the US National Security Agency (NSA) and other US intelligence services.

The ruling, colloquially known as Schrems II after the Austrian lawyer who took the case to the CJEU, found that people must be given “essentially equivalent protection” for their data when it is transferred to the US and other countries as they would receive in the EU under the GDPR and the European Charter of Fundamental Rights, which guarantees people the right for private communications and the protection of their private data. The status of EU-US data adequacy has still yet to be fully resolved.

Even though both adequacy decisions for the UK aim to achieve the same standard of essential equivalence, rules for the protection of personal data differ between the GDPR and LED, with the latter setting out sector-specific rules to govern how personal data can be processed and transferred by criminal justice organisations for law enforcement purposes.

The formal adoption of one adequacy decision therefore does not entail the automatic adoption of the other, as both need to be assessed separately on their own merits.  

UK government and tech sector react to GDPR adequacy

Secretary of state for digital Oliver Dowden welcomed the publication of the draft decisions, which he claimed reflect the UK’s commitment to high data protection standards.

“Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework,” he said.

“I now urge the EU to fulfil their commitment to complete the technical approval process promptly, so businesses and organisations on both sides can seize the clear benefits.”

The draft decisions have also been received positively by industry bodies representing a variety of businesses in the UK’s tech sector.

“Today’s decision is warmly welcomed by the tech sector which has been making clear the importance of a mutual data adequacy agreement since the day after the referendum,” said Julian David, CEO of TechUK.

“Receiving data adequacy, alongside the EU-UK Trade and Cooperation Agreement, will set a solid foundation for digital trade with the EU, including strong non-discrimination clauses and positive data flows provisions, that will give businesses the confidence to invest.”

Stephen Kelly, chair of Tech Nation, added the international transfer of data was critical to UK tech, particularly for sectors like financial technology (fintech) where rapid growth has been predicated on unlocking the value of data.  

“The data economy makes up about 4% of national GDP and is predicted to be worth $130bn by 2025, making the UK a global hub for data flows. The positive adequacy decision between the UK and the EU therefore brings great news to the tech sector, following months of waiting and contingency planning in the bridging period,” he said.

“It supports the continued growth of tech scaleups and the position of the UK as a global leader in data-driven technologies. As we look ahead at building back better, the international flow of data will be vital to fueling the next wave of business innovation and driving transformation in our society.”

Potential issues with securing LED adequacy

In early February 2021, the EDPB published its first ever guidance on the LED, writing that “adequacy decisions should focus on the assessment of the existing legislation of the third country concerned as a whole, in theory and practice, in light of the assessment criteria set out in the LED.”

It added: “Any meaningful analysis of adequate protection must [therefore] comprise two basic elements: the content of the rules applicable and the means for ensuring their effective implementation in practice.”

While the EDPB was writing in the context of LED adequacy, the process of analysing UK data protection laws in both theory and practice also applies to GDPR adequacy.

Data protection experts have previously warned that while the UK’s LED commitments are there on paper through its transposition in Part Three of the Data Protection Act (DPA 18) – which is corroborated by the EC draft decision – certain practices within the UK’s intelligence services and criminal justice sector (CJS) could undermine the country’s ability to secure a positive adequacy decision under the directive.

These concerns also extend to GDPR adequacy, but stricter rules on how data can be transferred for law enforcement purposes mean they are particularly problematic for LED adequacy.

Specifically, they cited the close relationship between the UK and the US as a problem due to the latter’s lack of adequate data protection standards, as well as the UK’s own intrusive surveillance regime, which has been enshrined in the Investigatory Powers Act 2016, otherwise known as the “Snoopers' Charter”.

The growing use of US-based public cloud services by UK police and the wider CJS was also cited as a potentially huge problem for the UK’s ability to obtain LED adequacy because of the potential for remote access to that data and its onward transfer to a non-adequate jurisdiction.

While the draft decisions are large, 50-plus page documents that require detailed analysis to fully understand, first impressions from law enforcement specialists expressed disappointment that the EC document is principally a legal summary and does not seem to consider these practical, real-world aspects.

They also suggested that while this EC adequacy recommendation has been published it is still too early to assume it will pass.

“The LED is not a single EU-wide regulation like the GDPR” said Owen Sayers, a UK-based independent privacy consultant with extensive knowledge of the LED. “Each EU member state, including the UK when we were EU members, has created its own interpretation of the directive, and the EC recently published a study of the multiple different implementations across the EU demonstrating how much they vary country to country.”

Sayers added “Each member state will probably want to review the EC recommendation to ensure its findings align with their own legislation. In effect the UK needs 27 positive legal reviews of LED alignment to be successfully passed as adequate, whereas GDPR needs only one.

“Even then it is not yet clear how much data the EU member states will be willing to share - an adequacy finding enables data sharing but it does not oblige a member to do so.”