The European Commission Released a Draft Adequacy Decision for the United Kingdom

 

In case you’ve been busy dodging novel viruses and winter storms, here’s a recap of why that’s important (be forewarned, we’re oversimplifying and condensing quite a bit for brevity).

Among other momentous things that occurred in 2016, the UK voted to leave the European Union in what has been dubbed “Brexit.” Brexit became effective on January 31, 2020 and thereafter EU law and the EU Court of Justice or “ECJ” no longer had precedence over British law and courts. To help ease the impact of that abrupt change, the UK Parliament passed the European Union (Withdrawal) Act 2018 which retains relevant EU law as domestic UK law.

For privacy and data security law purposes, the Withdrawal Act and related regulations did two key things:

  • First, they “froze” the GDPR, in its then-current EU form as of January 31, 2020. That frozen or “EU GDPR” version was then applied to all data received/transferred from the period before Brexit went into effect up to December 31, 2020.
  • Second, from December 31, 2020 and after, they make the GDPR part of domestic UK law and rename it the “UK GDPR.”

The UK GDPR isn’t quite an exact replica of the “frozen” EU GDPR. For instance, it changes the governing and binding interpretive bodies from the European Commission and ECJ, respectively, to the UK Secretary of State and UK courts. The replacement of the ECJ with the UK courts means the UK GDPR will inevitably continue to diverge from EU GDPR over time—though we suspect, that on big issues (like Schrems II which we explain here) the UK courts will follow the Swiss model of hewing closely to the ECJ.

So what does any of this have to do with an adequacy decision by the EU, you ask? Good question.

Recall that under the GDPR personal data can only be transferred out of the European Economic Area in one of two ways, either:

  • through an approved mechanism under GDPR Articles 46 or 49; or
  • if the European Commission has deemed the privacy laws of the destination country to be “adequate”

Since Article 46 mechanisms have been relentlessly (and successfully) attacked by Schrems and his aligned groups for over four years now, and Article 49 is largely untested, adequacy is far and away the preferred basis for transfer. Adequacy decisions are, however, very hard to come by. Up until now, only about a dozen have been granted.

To be sure, for companies governed by the GDPR who regularly move personal data to the UK, the failure of the UK to receive its own adequacy decision would be pretty burdensome. It would mean that long-standing personal data transfer practices would need to be entirely revisited, contracts amended and all manner of other compliance and operational impacts dealt with.

If, on the other hand, the UK receives an adequacy decision, things pretty much remain status quo ante for the foreseeable future. So while there are a few hurdles left before it becomes official, the fact that the EU has issued a draft decision this soon after the magic date of December 31, 2020, is a very good sign.

Watch this space. We’ll keep you updated.

Comments are closed.