Brexit Data Protection Adequacy Decision

The European Commission has given an ‘adequacy decision’ to number of “third countries” such as Andorra, Japan, Israel and New Zealand. John O'Shea and David Collins of our Legal Services team explain.

This adequacy decision permits the transfer of personal data from European Union (the "EU") Member States to these third countries. This is allowed, as these countries have a satisfactory level of data protection safeguards compared to the EU Data Protection framework. 

The European Commission has the power to determine, under Regulation (EU) 2016/679 on whether a country outside the EU offers an adequate level of data protection. The steps involved for the adoption of an adequacy decision are follows:

  • a proposal from the European Commission;
  • an opinion of the European Data Protection Board;
  • an approval from representatives of EU countries; and
  • the adoption of the decision by the European Commission.

No adequacy decision between the EU and a country which has been awarded one has ever been revoked.

The UK left the EU on 31 December 2020 and from 1 January 2021 the UK will be treated as a third country for purposes of the EU General Data Protection Regulation (“GDPR”).

However, the TCA states that transfers of personal data from the EU to the UK will not be considered transfers of personal data to a third country during the Specified Period and will not be prohibited by the GDPR.  The Specified Period begins on 1 January 2021 and ends:

  • on the date on which an adequacy decision in relation to the UK is adopted by the European Commission under Article 45(3) of the GDPR and Article 36(3) of Directive (EU) 2016/680; or
  • four months after the specified period begins, which period shall be extended by two further months unless one of the Parties objects.

Therefore, personal data may be transferred between the EU and UK from 1 January 2021 until the end of the Specified Period with transfers of personal data from the EU to the UK not being permitted from that time unless EU data exporters of data have taken steps to ensure adequate protection.

It is anticipated that the European Commission will grant the UK an adequacy decision in 2021. However, it is unknown whether that will happen before the end of the Specified Period.

Until an adequacy decision is formally adopted, it would be recommended for companies and organisations, to insert model Standard Contractual Clauses (SCCs) (approved by the European Commission) in the contracts which would provide the appropriate safeguards for the transfer of personal data to the UK in any event and would provide as robust a protection as possible. 

In the unlikely scenario that a no adequacy decision is adopted, the UK (including Northern Ireland) will become a “third country” for the purposes of GDPR. This means that the legal framework governing transfers of personal data from organisations established in the EU to organisations established in the UK will change as transfers of personal data to the UK will be subject to the rules on international transfers to third countries provided for in the GDPR and other EU directives and regulations.

In its adequacy decisions, the Commission should provide for a periodic review mechanism of their functioning. The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently, the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organisations.

The TCA also comprises of some general measures which relate to data protection and privacy. This includes assurances by both parties not to enact restrictions that would limit cross-border data flows between the EU and the UK.

Schrems II and no Adequacy Decision

The Schrems II judgement by the Court of Justice of the European Union (CJEU) on 16 July 2020 has had consequences on the use of SCCs. Schrems II refers to the Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. Maximillian Schrems is an Austrian lawyer, who became known for legal cases against Facebook for its alleged privacy violations. 

In Schrems II, the Irish High Court officially referred the case to the CJEU, along with eleven questions to address related to the validity of SCCs. The CJEU both affirmed the validity of Commission Decision 2010/87/EU which provided for SCCs for data transfers, and invalidated Commission Decision 2016/1250 which was the legal basis of the EU-US Privacy Shield. A Commission Decision is a legally binding decision issued by the European Commission at the end of a regulatory procedure, such as a marketing authorisation application or arbitration procedure.

The EU–US Privacy Shield was a framework for regulating exchanges of personal data between the European Union and the United States. It allowed US companies to receive personal data from EU entities more easily under EU data protection laws. It was a replacement for the International Safe Harbor Privacy Principles, which had been declared invalid by the CJEU in October 2015.

The CJEU upheld the use of SCCs, and also affirmed that the European Commission has no obligation to evaluate the level of data protection in countries to which data are transferred under them. In upholding the use of SCCs, the CJEU relied on statements in the General Data Protection Regulation (GDPR) foreseeing the use of “other clauses and additional safeguards” in cases where the SCCs cannot ensure protection. The GDPR is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).

Data controllers are more accountable for taking action when legislation in the country of import allows for access to data going beyond EU standards. Data controllers determine the purposes for which and the means by which personal data is processed. If a company/organisation decides ‘why’ and ‘how’ personal data should be processed, then it is a data controller. The CJEU states that data controllers transferring data under the SCCs must “verify whether the law of the third country of destination ensures adequate protection under EU law” , and that they “are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned” . This will require data controllers to become experts in third-country law in a way and raises questions in particular about data transfers to third countries that are non-democratic or where the rule of law does not apply.

Get in touch

If you have any queries on how Brexit will affect your business, please get in touch with our dedicated Brexit Response Team.

Read more