Tuesday, 29 June 2021

Commission Adequacy Decision

European Commission
Author EmDee Licence CC BY-SA 4.0  Source Wikipedia Commons

 









Jane Lambert

The uninterrupted exchange of personal data across borders is vital for the financial and other service industries. As I noted in Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sept 2017 NIPC Law, it was restrictions on the transfer of personal data from countries that had enacted data protection legislation rather than the Younger and Lindop reports that prompted Parliament to enact the first Data Protection Act in 1984. Until 23:00 on 31 Dec 2020 businesses in the UK could rely on art 1 (3) of the General Data Protection Regulation (Regulation (EU) 2016/679 which provides that the free movement of personal data within the European Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. That was because EU law continued to apply to the UK between 23:00 on 31 Jan and 23:00 on 31 Dec 2020 pursuant to art 127 (1) of the agreement by which the UK withdrew from the EU.

Upon the expiry of that period, the United Kingdom became a "third country" for the purposes of art 44 of the GDPR.  That article provides:

"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined."

Art 45 (1), however, provides:

"A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."
The rest of that article sets out the criteria by which the Commission can make such a decision and the procedure for reaching it.

By a decision dated 28 June 2021 (Commission Implementing Decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (C(2021) 4800 final)), the Commission has decided that for the purposes of art 45 of the GDPR the UK ensures an adequate level of protection for personal data transferred within the scope of the GDPR from the EU to the UK. The decision consists of 93 pages almost all of which are recitals setting out the Commission's reasons.  The decision on adequacy is contained in art 1 (1).  Art 3 (1) of the Decision requires the Commission to "monitor the application of the legal framework upon which this Decision is based, including the conditions under which onward transfers are carried out, individual rights are exercised and United Kingdom public authorities have access to data transferred on the basis of this Decision, with a view to assessing whether the United Kingdom continues to ensure an adequate level of protection within the meaning of Article 1." The Commission has power under art 3 (4) to suspend, repeal or amend the decision where it has indications that an adequate level of protection is no longer ensured.  It can also suspend, repeal or amend the decision under art 3 (5) if a lack of cooperation of the UK government prevents the Commission from determining whether the finding in art 1 (1) is affected.   The decision shall expire on 27 June 2025, unless extended in accordance with art 93 (2) of the GDPR.

Art 1 (2) of the decision makes clear that it does not cover personal data that is transferred for purposes of UK immigration control or that otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control pursuant to para 4 (1) of Sched. 2 to the Data Protection Act 2018.  Art 2 (2) (d) of the GDPR states that the regulation does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.   Such processing is regulated by the Law Enforcement Directive (Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA). 

Art 35 (1) of the directive imposes the following obligation upon EU member states:

"Member States shall provide for any transfer by competent authorities of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation including for onward transfers to another third country or international organisation to take place, subject to compliance with the national provisions adopted pursuant to other provisions of this Directive, only where the conditions laid down in this Chapter are met, namely:
(a) the transfer is necessary for the purposes set out in Article 1 (1);
(b) the personal data are transferred to a controller in a third country or international organisation that is an authority competent for the purposes referred to in Article 1 (1);
(c) where personal data are transmitted or made available from another Member State, that Member State has given its prior authorisation to the transfer in accordance with its national law;
(d) the Commission has adopted an adequacy decision pursuant to Article 36, or, in the absence of such a decision, appropriate safeguards have been provided or exist pursuant to Article 37, or, in the absence of an adequacy decision pursuant to Article 36 and of appropriate safeguards in accordance with Article 37, derogations for specific situations apply pursuant to Article 38; and
(e)  in the case of an onward transfer to another third country or international organisation, the competent authority that carried out the original transfer or another competent authority of the same Member State authorises the onward transfer, after taking into due account all relevant factors, including the seriousness of the criminal offence, the purpose for which the personal data was originally transferred and the level of personal data protection in the third country or an international organisation to which personal data are onward transferred."
Art 36 of the Law Enforcement Directive is very similar to art 45 of the GDPR.  By Commission Implementing Decision of 28.6.2021 pursuant to Directive (EU), 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (C(2021) 4801 final) the Commission found that the UK ensures an adequate level of protection for personal data transferred from the EU to UK public authorities responsible for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties for the purposes of art 36. The decision requires the Commission to monitor the UK government's compliance with the legal framework and enables the Commission to suspend, repeal or amend the decision in the event of non-compliance or non-cooperation.  Subject to that provision, the decision also remains in force until 27 June 2025.

In an ICO statement in response to the EU Commission’s announcement on the approval of the UK’s adequacy, the Information Commissioner said:
“This is a positive result for UK businesses and organisations.
Approved adequacy means that businesses can continue to receive data from the EU without having to ake any changes to their data protection practices.
Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently.
The result is also a testament to the strength of the UK’s data protection regime.”

Anyone wishing to discuss this article or data protection generally my call me on 020 7404 5252 during office hours or send me a message through my contact form.