The EU Commission has signalled its intention to grant the UK an adequacy decision allowing the free flow of personal data from the EU to the UK. See our earlier article here.
Now that the full text of the draft adequacy decision for transfers under the General Data Protection Regulation has been published, two key points emerge: (i) that the UK effectively remains tied to the EU regime and the European Convention on Human Rights if it wishes to retain adequacy; and (ii) the UK might have come up with the solution everyone has been looking for to align the competing interests at play in managing data privacy.
The UK’s limited room for manoeuvre
Although it will keep data flowing from the EU to the UK, the draft adequacy decision is heavily caveated with warnings about what will happen if the UK seeks to diverge from the EU position – ultimately, the adequacy decision will be revoked. So, the room for manoeuvre for the UK in the way it handles personal data is limited. The draft adequacy decision also makes it very clear that the EU sees the underpinning of the UK regime by international commitments as a vital element of its adequacy decision. This means that the UK cannot abandon its position in applying the European Convention on Human Rights in its domestic law without fatally undermining adequacy. So, the UK has certainly not “taken back control” in that sense.
A “world beating” template?
This will be the first adequacy decision made by the EU Commission after the judgment of the Court of Justice of the European Union (CJEU) in the Schrems II case in July 2020. This ruling tightened the criteria for adequacy (and other bases for personal data transfers outside the EU) when abolishing the EU/US Privacy Shield arrangements. It is also the first adequacy decision since other rulings by the CJEU in the Privacy International and Quadrature du Net cases in October 2020 which found that national surveillance laws adopted by the UK and by EU Member States will be struck down unless they satisfy strict criteria. In finding that the UK’s data protection regime is essentially equivalent to the EU’s rules, the EU Commission has taken into account these recent cases. That the UK regime has passed the EU Commission’s test when applying these strengthened EU laws is significant as it potentially offers a template for other “third countries” (like the United States) to follow if they wish to do so. The UK model might now offer a way to satisfy the increasingly stringent requirements around the three sides of the EU’s data privacy triangle by balancing: (i) individuals’ privacy with (ii) State based wishes to use personal data for national security/law enforcement purposes with (iii) the exploitation of data by commercial organisations. Of course, it is highly likely that privacy advocates will seek to challenge the UK adequacy decision, so we might expect to see a final determination on this point by the CJEU in the next couple of years. However, this could be a breakthrough moment and something everyone has been striving to achieve since the Edward Snowden allegations first emerged in 2013. To adopt another phrase often used by the current UK Government, have we now got a “world beating” template for data privacy?
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, February 2021