Just in Time - EU Adopts Adequacy Decisions for free flow of data with UK
Client Alert | 2 min read | 06.29.21
On the 28 June 2021, the European Union (EU) adopted two adequacy decisions which permit the free flow of personal data from the EU and the European Economic Area (EEA) to the UK. The adequacy decisions are given under the EU General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), and include the EU’s assessment of the UK’s data protection standards. The decisions are necessary because EU data protection law limits transfers to a third country (the UK became a third country as a result of Brexit), and under the EU – UK Trade Cooperation Agreement the transition period was due to expire on the 30 June 2021.
The awaited decision has followed over a year of discussions and will mean that UK businesses and organisations can keep receiving personal data from the EU and EEA, without implementing additional measures. The decision under the LED covers the specific transfer of personal data for law enforcement purposes and cooperation on judicial matters. The UK has already recognised the EU and EEA member states as having adequate regimes, thus creating a reciprocal regime for the transfer of personal data.
The decisions recognise the UK’s high data protection standards and its close alignment with the EU regime. This includes the UK’s choice to retain the GDPR, tailored to the U.K. and known as the “UK GDPR”, and Law Enforcement Directive obligations following Brexit. They also conclude that the UK has strong safeguards of personal data, especially data collected for national security reasons. The protections include subjecting public authorities to authorisation from an independent judicial body to collect personal data, and assessing such requests on their necessity and proportionality to achieve their aim. Additionally, there is a complaint mechanism for individuals to bring an action before the Investigatory Powers Tribunal if they believe they have been subject to unlawful surveillance. The decisions were also supported by the UK’s commitment to international bodies such as: the European Court of Human Rights, European Convention of Human Rights and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal data.
Conditions Attached
However, there is conditionality to the adequacy decisions that the UK does not deviate from EU standards of protection. The first limitation of the decision is that it excludes from its scope data flowing to the UK for immigration control. This is due to a decision from the Court of Appeal, which held that an exemption for controllers involved in immigration related activities from obligations under UK GDPR is incompatible with provisions in the UK GDPR itself. The second is that for the first time, both adequacy decisions include a sunset clause limiting their duration to 4 years. The European Commission has also said it will actively review UK law on data protection and may intervene if standards deviate. This means that the UK risks losing the adequacy decisions or facing the review process again if it lowers standards of protection. It also raises the possibility that the UK could lose the adequacy decisions if it fails to adopt any changes made to the EU regime.
Comment
The decisions are of huge benefit to organisations who will not now be saddled with the burden of putting in place additional contractual terms or assessments when transferring personal data with the EU. It is also important to the UK to building trade agreements with other countries and developing international data transfer regimes across the world.
Contacts
Insights
Client Alert | 2 min read | 11.14.24
SEC ESG Enforcement Is Still Alive
On November 8, 2024 the SEC announced a settled enforcement action against Invesco Advisers, Inc. for making misleading statements about its integration of environmental, social, and governance (ESG) factors into the firm’s investment decisions. Invesco agreed to pay a $17.5 million civil penalty to settle the matter. This enforcement action makes it clear that, even though the SEC dissolved its ESG Task Force, the Commission continues to monitor firms’ statements and representations for misleading statements about ESG.
Client Alert | 8 min read | 11.12.24
Client Alert | 3 min read | 11.11.24
Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
Client Alert | 1 min read | 11.08.24
A Common-Sense Change to the Continuous SAM Registration Requirement at FAR 52.204 7