Ade­quacy decis­i­on: the United King­dom is con­side­red a secu­re third coun­try effec­ti­ve immediately

The EU Com­mis­si­on adopted two ade­quacy decis­i­ons  last week regar­ding data trans­fers bet­ween the EU and the United King­dom (UK). The­se ade­quacy decis­i­ons were adopted both under the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) and under the Law Enforce­ment Direc­ti­ve.

Signi­fi­can­ce of Brexit for data transfers

Fol­lo­wing “Brexit,” the United King­dom is no lon­ger a mem­ber sta­te of the EU or the Euro­pean Eco­no­mic Area (EEA) as of 1 Janu­ary 2021. Accor­din­gly, the UK is gene­ral­ly clas­si­fied as a “third coun­try” from the view­point of data pro­tec­tion law, so that com­pa­nies trans­fer­ring per­so­nal data to the United King­dom are requi­red to com­ply with Artic­le 44 and the sub­se­quent Artic­les of the GDPR (only in Ger­man). They are requi­red to ensu­re that per­so­nal data in such third count­ries are sub­ject to an ade­qua­te level of data pro­tec­tion which con­forms to that of the GDPR. One way to estab­lish an ade­qua­te level of data pro­tec­tion is for the EU Com­mis­si­on to issue an ade­quacy decis­i­on, in accordance with Artic­le 45(3) of the GDPR. 

Impact of the ade­quacy decisions

The­se ade­quacy decis­i­ons, which take effect imme­dia­te­ly, reflect a fin­ding by the EU Com­mis­si­on that the level of pro­tec­tion for per­so­nal data in the United King­dom, even after Brexit,  con­forms to the level of pro­tec­tion which is gua­ran­teed under EU law. They place trans­fers of per­so­nal data bet­ween the United King­dom and the EU on a secu­re basis in data pro­tec­tion law for a long time to come.

Advan­ta­ges of the ade­quacy decisions

Thanks to the­se ade­quacy decis­i­ons, com­pa­nies trans­fer­ring data to the United King­dom may dis­pen­se with stan­dard con­trac­tu­al clau­ses for the time being, unli­ke the case for data trans­fers to the US. This means that com­pa­nies will not have to per­form the cos­t­ly risk ana­ly­ses which are requi­red when using stan­dard con­trac­tu­al clauses.

Future deve­lo­p­ments

The ade­quacy decis­i­ons app­ly for a limi­t­ed term of four years (the “sun­set clau­se”), during which time the EU Com­mis­si­on plans to con­ti­nue to obser­ve the legal situa­ti­on in the United King­dom and to inter­ve­ne in the event of devia­ti­ons from the exis­ting level of data pro­tec­tion. This step was taken in light of state­ments from cri­tics of the ade­quacy decis­i­ons alle­ging that the powers available to natio­nal secu­ri­ty aut­ho­ri­ties in the United King­dom to access per­so­nal data are com­pa­ra­ble to tho­se of the US natio­nal secu­ri­ty aut­ho­ri­ties which are cri­ti­ci­zed by the ECJ in the “Schrems II” ruling. Accor­din­gly, we can­not enti­re­ly rule out the pos­si­bi­li­ty that data trans­fers to the United King­dom may be pro­ble­ma­tic in the future. But for the time being, the new ade­quacy decis­i­on crea­tes legal cer­tain­ty with regard to data trans­fers bet­ween the EU and the United Kingdom.

Data trans­fers to other third countries

The ade­quacy decis­i­on has no impact on data trans­fers to other third count­ries, such as e.g. the US. Com­pa­nies enga­ging in such trans­fers should heed the new recom­men­da­ti­ons from the Euro­pean Data Pro­tec­tion Board on “Schrems II”, the new stan­dard con­trac­tu­al clau­ses and the ongo­ing inves­ti­ga­ti­ons being con­duc­ted by Ger­man data pro­tec­tion aut­ho­ri­ties.

Cont­act us any­ti­me if you have any ques­ti­ons rela­ting to exis­ting third-country transfers.