On 14 April 2021, the European Data Protection Board (“EDPB”) adopted its Opinion on the draft adequacy decision issued by the European Commission in February. The EDPB took a broadly positive view of the draft adequacy decision. If approved, the adequacy decision will enable the continued free flow of data from the EEA to the UK.
The EDPB noted that “the UK data protection framework is largely based on the EU data protection framework” and, therefore, key areas of alignment exist in the EU and UK’s data protection measures. These included in areas such as “grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling”.
However, the Opinion included some warnings and identified a few areas that will need to be monitored going forwards to ensure the adequacy decision remains in place. These included:
- The UK Data Protection Act’s “immigration exception”, which exempts controllers involved in activities related to immigration from certain GDPR obligations
- The rules that govern onward personal data transfers from the EU to a third country via the UK
- The EDPB’s long-standing concern over the powers to intercept communication under the UK’s Investigatory Powers Act 2016. Although the EDPB approved the creation of the Investigatory Powers Tribunal and the introduction of Judicial Commissioners, it warned that this did not mitigate the above concerns
The Opinion given by the EDPB is not binding but will be persuasive when Member States, acting through the European Council, decide whether to formally approve the adequacy decision. If adopted, the adequacy decision will be valid for a four years, after which it may be renewed if the UK’s data protection measures continue to be adequate.
What does this mean for the business?
Currently, data transfers are unrestricted from the EEA to UK until 30 April 2021 under the terms of the Trade and Cooperation Agreement. This will be automatically extended to 30 June 2021, unless either side objects. After that, businesses will need the adequacy decision to be in place so that they can continue to transfer personal data from the EEA to the UK. Failing that, they will have to implement other appropriate safeguards (such as Standard Contractual Clauses) in order to transfer personal data from the EEA to the UK.
Article originally published by ELLINT’s UK member firm, Doyle Clayton, on 21 April 2021.