The European Commission on Monday (28 June) adopted two adequacy decisions for the UK, including measures that would enable Brussels to revise the decision in case of changes in the UK legal framework.
The Commission concluded the technical procedure to formally recognise the UK’s legal protection on privacy and judiciary matters as equivalent to EU legislation. The decision will enable the free movement of personal data as part of the EU-UK Trade and Cooperation Agreement.
Didier Reynders, Commissioner for Justice, said: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK… The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”
UK Secretary of State for Digital Oliver Dowden also welcomed the decision noting that “after more than a year of constructive talks it is right the European Union has formally recognised the UK’s high data protection standards.”
Věra Jourová, Vice-President for Values and Transparency, explained that the adequacy decision is based on the data protection regime that was in place before Brexit. The Commission has, however, put in place measures to review its decision in case the UK regulatory framework is changed.
The decision will automatically expire after four years, with renewal dependent on the UK maintaining comparable privacy standards.
“It was right for the Commission to give this agreement a deadline and retain the right to review it at any time,” said Vincenzo Tiani, partner of PANETTA law firm. These concerns were prompted by the UK government expressing its willingness to change its data protection law in February 2020.
There has also been speculation that the Johnson government could consider weakening or scrapping GDPR provisions on automated decision-making.
“The possibility for the data subject to be able to object to an automated decision that affects them and to be able to request a human review is crucial today and will be increasingly so as the use of AI becomes more widespread. These safeguards ensure citizens are not unfairly discriminated against and make companies more trustworthy without sacrificing adoption of these technologies,” Tiani added.
Certainty for businesses
The Institute for Government, a London-based think tank, recently argued in a policy paper that the adequacy decision might persuade UK decision-makers to avoid radical divergence from EU privacy law to preserve legal certainty.
The decision was particularly welcomed by businesses as data transfers have become an essential element for international trade. Trade associations, the CBI and techUK, stressed the importance of free data flows for companies operating on both sides of the Channel.
UK businesses have already suffered significant losses following Brexit, according to a recent study conducted for the Financial Times. The study found that roughly one-third of the companies with European operations have seen a loss in trade, and 17% of them have seen a complete trade shut down since the beginning of 2021.
Overall, UK-EU trade dropped by almost a quarter in the first three months of the year. Smaller companies have paid a higher price, as they have fewer resources to cope with the bureaucratic requirements introduced as the UK left the European bloc.
Rafi Azim-Khan, Head of Data Privacy at law firm Pillsbury, told EURACTIV that “any major departure would be a surprise, as the UK has already copied the GDPR into domestic law, and businesses have gone to huge lengths to ensure ongoing compliance with GDPR rules.”
Besides regulatory changes, the Institute for Government mentions trade agreements involving data transfer deals with third countries and the use of personal from UK intelligence services as ‘problematic’ points that might prompt the EU to change its position.
In May, the European Court of Human Rights ruled that the UK surveillance regime violates the rights to privacy and freedom of expression, thereby requiring stronger safeguards and judicial authorisation for bulk interceptions.
The ruling was the result of a long legal battle initiated by the revelations of US whistleblower Edward Snowden, which described secret mass surveillance practices by the US and UK intelligence services. The revelations also led to the legal challenge to the EU-US Privacy Shield, which was struck down for a second time last year by the EU Court of Justice in the landmark Schrems II ruling.
Asked at the GRC World Forums whether a Schrems III ruling could be expected on the UK data adequacy agreement, Max Schrems said he had not looked at UK surveillance law in detail, and is not currently planning a legal challenge.
However, the Austrian activist noted that “there is an argument probably legitimately made that UK surveillance law may also not fulfil the requirements that the EU Court of Justice put forward. In a legal challenge, it’s not unlikely that such an adequacy decision would be killed.”
In announcing the decision, the European Commission assessed that the UK surveillance laws provide for ‘strong safeguards’, noting that intelligence services need ‘in principle’ to receive ex-ante judicial authorisation to access personal data.
The Commission considered that the principles of proportionality and limited access to personal data are respected in UK law. EU data subjects will be able to challenge unlawful surveillance before the Investigatory Powers Tribunal.
However, the EU executive has excluded data transfers for the purpose of migration control from the adequacy decision. UK data protection law contains an ‘immigration exemption’ that allows public authorities to deny access to the personal data they hold for the purpose of ‘immigration control’. The exemption has recently been overruled by a UK appeal court for breaching fundamental rights.
[Edited by Benjamin Fox]