What are adequacy decisions?
The EU’s data privacy regime is exacting, and includes restrictions on international transfers of personal data. The General Data Protection Regulation, or GDPR, only allows the personal data of EU citizens to cross borders out of the bloc if stringent requirements are met. One way of meeting these is to establish that the recipient country offers an adequate level of privacy protections, formally recognised by an adequacy decision issued by the EU Commission. This is the process that is currently under way for the UK.
Where are we now?
On 19 February, the EU Commission issued draft adequacy decisions under both the GDPR and its companion Directive applicable to information used in relation to law enforcement. Approval of the draft adequacy decisions was not a foregone conclusion, however. The grouping of member state regulators, the EDPB, was broadly supportive of the decisions when it gave its opinions on 13 April, although it did identify several areas of concern. Now the European Parliament has taken up these issues and is calling on the Commission to amend the two draft decisions and toughen its monitoring activity in the future.
We are currently operating within a transitional period provided for in the EU-UK Trade and Cooperation Agreement finalised in December 2020. That lasts until 30 June 2021. Without a further extension there is little time left to sort out the final form of the decisions.
The UK has already implemented EU law so why is there a problem?
It may be surprising that MEPs are concerned about the grant of adequacy decisions given the UK’s close alignment with the EU system. Adequacy decisions have already been granted to Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay, with South Korea currently in progress. And the UK was until the end of 2020 subject to the EU’s legal regime.
However, factors like the proximity of the UK to the EU, the size of its economy and existing high levels of cross-border activity perhaps explain closer scrutiny being given to this process. What’s more, UK Government pronouncements on an intention to diverge from the EU’s data privacy regime appear to have startled MEPs.
The areas identified for concern by both the EDPB and the European Parliament were:
- data processing for the purposes of controlling immigration,
- mass surveillance by UK national security authorities,
- onward transfers to other countries, and
- international agreements that the UK might forge with non-EU countries (noting the UK’s application to join the Comprehensive and Progressive Trans-Pacific Partnership (CPTTP).
The MEPs felt that each of these areas required clarification.
The MEPs narrowly approved resolution (344 votes in favour, 311 against and 28 abstaining) leaves final approval of the adequacy decisions in doubt. It seems likely that they will be approved given the potential for serious disruption of existing activity, although we can expect close scrutiny of the UK’s law and practice in this area going forward.
Without amendment of the current draft decisions, MEPs said that EU national data protection authorities should be able to suspend transfers of personal data to the UK where concerns arise. So even if the decisions are finalised, we can anticipate national regulators and the courts being asked to intervene in sensitive areas.
Learn more about our data protection services.