How does our data protection framework measure up?
DCMS policy paper published to help UK acquire adequacy status from the EC
The United Kingdom’s (“UK”) exit from the European Union (“EU”) has raised a number of legal questions, and there has been a lot of discussion and speculation in recent months as to what will happen at the end of the transition period, both in data protection circles and more broadly. One question with wide-ranging practical implications is whether the EU will consider the UK to have an adequate data protection framework and whether it will grant it so-called “adequacy status”.
What is “adequacy status”?
Pursuant to Article 45 of Regulation (EU) 2016/679, General Data Protection Regulation (“GDPR”), the European Commission (“EC”) has the power to determine whether a country outside the EU offers an adequate level of data protection.
Given that the GDPR has been transposed into UK law by the Data Protection Act 2018, one might expect this to be a simple tick-box exercise. However, the process may not be as straightforward. Understandably, the EC’s primary focus is on ensuring that the protections afforded by the GDPR cannot be circumvented when data is transferred outside of the EU. Such action would effectively render their preparation and enforcement of a strict data protection regime redundant. Consequently, the EC will want to consider all aspects of the UK’s data protection framework when taking its decision.
What does it mean to be “adequate”?
Adequacy, from a GDPR perspective, refers to the ability of a country outside the EU to:
- offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the EU; and
- ensure that data subjects are provided with effective and enforceable rights and effective administrative and judicial redress.
In its assessment of the adequacy of the data protection framework of a country outside of the EU (a “third country”), the EC will consider a number of factors, including how that third country respects the rule of law, access to justice and the scope of relevant standards and legislation. The EC will also make sure the third country can ensure effective independent data protection supervision and can provide for cooperation mechanisms with other EU data protection authorities¹.
DCMS Policy Paper
The Department for Digital, Culture, Media and Sport (“DCMS”) recently published a policy paper and supporting documents which seek to provide “an overview of the UK’s comprehensive legal framework underpinning high data protection standards”² and which is intended to facilitate adequacy discussions with the EC. The DCMS’ overarching objective is to ensure the UK acquires adequacy status as quickly as possible in order to maintain the continued free flow of personal data between the EU, UK and Gibraltar. The policy paper addresses each of the adequacy criteria described above and seeks to demonstrate not only that the UK currently meets the adequacy status requirements but that it will continue to do so post-Brexit.
What does it mean for companies if the UK acquires adequacy status?
Adequacy status would continue to allow the free flow of personal data, which is vital for imports and exports of both goods and services. In practical terms, there is little difference between the current mechanisms for transferring personal data to and from EU countries – as at the date of writing – and the mechanisms required if the UK acquires adequacy status. Other than relatively minor changes to terminology, which may or may not be required, commercial contracts involving the receipt of personal data into the UK from the EU would be largely unaffected.
What happens if the UK does not acquire adequacy status?
Contrastingly, if the UK does not acquire adequacy status, it will be treated by Member States as a third country for the purposes of transfers involving the receipt of personal data into the UK from the EU.
Transfers of personal data intended for processing after transfer to a third country or to an international organisation can only lawfully take place if there is an effective transfer mechanism. A transfer on the basis of an adequacy decision is one lawful transfer mechanism. In the absence of an adequacy decision, options include mechanisms such as:
- transfers subject to appropriate safeguards, including binding corporate rules or the standard data protection clauses adopted by the Commission, also referred to as the standard contractual clauses; and/or
- transfers subject to a derogation for a specific situation, including where there is explicit consent of the data subject, important reasons of public interest, or it is necessary in order to protect the vital interests of the data subject or of other persons.
As those of you who have previously dealt with other transfer mechanisms will be aware, binding corporate rules can be cumbersome to put in place and the standard contractual clauses can be awkward to incorporate in what might ordinarily be a streamlined commercial contracting process.
If the UK does not acquire an adequacy decision, Member State organisations would be looking at the above transfer mechanisms to transfer data to UK organisations, making it less straightforward for them to enter into contracts in any data-centric sector.
Throughout its policy paper and supporting documents, DCMS demonstrates that “the UK has a wide range of measures that create a digital environment in which citizens can feel safe and secure and have trust in how their data is used”. Whilst we are generally optimistic that a positive decision on our adequacy status should be forthcoming, which would minimise disruption to existing data flows and be one less hurdle for businesses to face, this is an area that should be kept under review. If it becomes apparent that an adequacy decision is not going to be granted as the transition period goes on, businesses will need to put in place an effective transfer mechanism from 2021 onwards.
¹Recital (104), Regulation (EU) 2016/679, General Data Protection Regulation.
²DCMS Explanatory Framework for Adequacy Discussions – Section A: Covering Note
Sponsor Licence Compliance: Key considerations & how to be audit ready
Join us for the third in our series of mini webinars on post Brexit immigration about sponsor licence compliance.
UK SPACs: could changes to the UK Listing Rules spark an increase?
SPAC listing popularity has increased. Could the UK be the next hotspot following proposed changes to the Listing Rules?
Sustainable Investing: From ESG Integration to Impact Investing
We have a wide perspective on the range of issues that fall within the spectrum from ESG to impact investing.
Liability for costs of repair (City of London v. Leaseholders of Great Arthur House)
Oliver Park writes an article for Lexis®PSL on a property dispute case.
Data Protection: All roads lead back to the GDPR
Across the globe, jurisdictions continue to develop their data protection and privacy laws.
New tax on property developers - consultation paper published
The government published a consultation paper on the design of the new residential property developers tax.
Procuring modular housing: Is MMC becoming mainstream?
Is Modern Methods of Construction becoming mainstream? Read what it means for Development and Procurement here.
Dual class share structures: how do they work and what are the pros and cons?
Dual class share structures allow a shareholder, for example the founder, to retain voting control over a company.
Q&A: Talking the telecoms talk
Georgina Muskett and Jonathan Wills answer queries on Electronic Communications Code agreement.
Property Patter: Navigating the complexities of Pharmacy Property
Pharmacy property is a specialist area which contains many traps for the unwary.
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Music to our ears? Well, perhaps not for Apple.
A feud first began when the music streaming giant, Spotify, filed a complaint against music streaming provide rand competitor, Apple Inc.
Linking ESG and Executive Pay
How does a business go about embedding a focus on strong ESG performance into the structures and culture of its organisation?
National Security and Investment Act granted Royal Assent
The Act establishes a new regime for the review of mergers, acquisitions and other transactions that could threaten national security.
Recent Trends In Firewall Legislation: BVI, Bermuda And Gibraltar
Charles Russell Speechlys advises Waverton on acquisition of Cornerstone Asset Management
Established in July 2010 and with offices in Edinburgh and Glasgow, Cornerstone offers wealth management and financial planning advice.
What do the new Debt Respite Scheme Regulations mean for Landlords and Tenants?
This will provide legal protection from creditors in the form of either a breathing space or a mental health crisis moratorium.
Charles Russell Speechlys promotes five to Partner
The promotions are effective 1 May 2021 and are accompanied by one Legal Director and 15 Senior Associate promotions.
Risk allocation in commercial leases: the High Court considers rent suspension, insurance and frustration arguments
Read our summary of the full judgement on the latest Covid arrears case.
Proposed Takeover Code Amendments – Key Changes
The Consultation Paper has now been followed by a corresponding response paper which made certain modifications to the initial proposals.