How does our data protection framework measure up?
DCMS policy paper published to help UK acquire adequacy status from the EC
The United Kingdom’s (“UK”) exit from the European Union (“EU”) has raised a number of legal questions, and there has been a lot of discussion and speculation in recent months as to what will happen at the end of the transition period, both in data protection circles and more broadly. One question with wide-ranging practical implications is whether the EU will consider the UK to have an adequate data protection framework and whether it will grant it so-called “adequacy status”.
What is “adequacy status”?
Pursuant to Article 45 of Regulation (EU) 2016/679, General Data Protection Regulation (“GDPR”), the European Commission (“EC”) has the power to determine whether a country outside the EU offers an adequate level of data protection.
Given that the GDPR has been transposed into UK law by the Data Protection Act 2018, one might expect this to be a simple tick-box exercise. However, the process may not be as straightforward. Understandably, the EC’s primary focus is on ensuring that the protections afforded by the GDPR cannot be circumvented when data is transferred outside of the EU. Such action would effectively render their preparation and enforcement of a strict data protection regime redundant. Consequently, the EC will want to consider all aspects of the UK’s data protection framework when taking its decision.
What does it mean to be “adequate”?
Adequacy, from a GDPR perspective, refers to the ability of a country outside the EU to:
- offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the EU; and
- ensure that data subjects are provided with effective and enforceable rights and effective administrative and judicial redress.
In its assessment of the adequacy of the data protection framework of a country outside of the EU (a “third country”), the EC will consider a number of factors, including how that third country respects the rule of law, access to justice and the scope of relevant standards and legislation. The EC will also make sure the third country can ensure effective independent data protection supervision and can provide for cooperation mechanisms with other EU data protection authorities¹.
DCMS Policy Paper
The Department for Digital, Culture, Media and Sport (“DCMS”) recently published a policy paper and supporting documents which seek to provide “an overview of the UK’s comprehensive legal framework underpinning high data protection standards”² and which is intended to facilitate adequacy discussions with the EC. The DCMS’ overarching objective is to ensure the UK acquires adequacy status as quickly as possible in order to maintain the continued free flow of personal data between the EU, UK and Gibraltar. The policy paper addresses each of the adequacy criteria described above and seeks to demonstrate not only that the UK currently meets the adequacy status requirements but that it will continue to do so post-Brexit.
What does it mean for companies if the UK acquires adequacy status?
Adequacy status would continue to allow the free flow of personal data, which is vital for imports and exports of both goods and services. In practical terms, there is little difference between the current mechanisms for transferring personal data to and from EU countries – as at the date of writing – and the mechanisms required if the UK acquires adequacy status. Other than relatively minor changes to terminology, which may or may not be required, commercial contracts involving the receipt of personal data into the UK from the EU would be largely unaffected.
What happens if the UK does not acquire adequacy status?
Contrastingly, if the UK does not acquire adequacy status, it will be treated by Member States as a third country for the purposes of transfers involving the receipt of personal data into the UK from the EU.
Transfers of personal data intended for processing after transfer to a third country or to an international organisation can only lawfully take place if there is an effective transfer mechanism. A transfer on the basis of an adequacy decision is one lawful transfer mechanism. In the absence of an adequacy decision, options include mechanisms such as:
- transfers subject to appropriate safeguards, including binding corporate rules or the standard data protection clauses adopted by the Commission, also referred to as the standard contractual clauses; and/or
- transfers subject to a derogation for a specific situation, including where there is explicit consent of the data subject, important reasons of public interest, or it is necessary in order to protect the vital interests of the data subject or of other persons.
As those of you who have previously dealt with other transfer mechanisms will be aware, binding corporate rules can be cumbersome to put in place and the standard contractual clauses can be awkward to incorporate in what might ordinarily be a streamlined commercial contracting process.
If the UK does not acquire an adequacy decision, Member State organisations would be looking at the above transfer mechanisms to transfer data to UK organisations, making it less straightforward for them to enter into contracts in any data-centric sector.
Throughout its policy paper and supporting documents, DCMS demonstrates that “the UK has a wide range of measures that create a digital environment in which citizens can feel safe and secure and have trust in how their data is used”. Whilst we are generally optimistic that a positive decision on our adequacy status should be forthcoming, which would minimise disruption to existing data flows and be one less hurdle for businesses to face, this is an area that should be kept under review. If it becomes apparent that an adequacy decision is not going to be granted as the transition period goes on, businesses will need to put in place an effective transfer mechanism from 2021 onwards.
¹Recital (104), Regulation (EU) 2016/679, General Data Protection Regulation.
²DCMS Explanatory Framework for Adequacy Discussions – Section A: Covering Note