What is Adequacy?

NB: This blog was updated on 29/6/21 to reflect the EU Commission’s decision to grant the UK AdequacyA status granted by either the EU Commission (EU) or UK government (UK) to third countries that provide personal data protection that is essentially equivalent to that provided in EU or UK law..

Adequacy, the word that has been on everyone’s lips – well, perhaps not everyone’s.

Throughout the UK’s transition period out of the EU, the media has been filled with talk of fishing rights, import and export tariffs, and free movement of people. Meanwhile, those in the data protection world have been debating how Brexit will impact the free movement of data. In every debate on this topic, the word adequacy will invariably arise, described as the ideal solution to guarantee the free flow of data between the EU and UK. However, what does ‘Adequacy’ actually mean? This blog attempts to provide some clarity on just that.

What is adequacy and why is it important?

Adequacy, or Data Adequacy, is a status that the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. can grant to countries that are not part of the European Economic Area (EEA). To be deemed adequate, countries outside of the EEA (known as third countriesCountries that are not part of the European Economic Area (EEA).) must provide a level of personal dataInformation which relates to an identified or identifiable natural person. protection that is ‘essentially equivalent’ to the protection provided in EU law. In other words, the European Commission must be satisfied that EU residents’ personal data will be just as protected within the third countryA country that is not part of the European Economic Area (EEA)., as it is in the EU.

Currently, the European Commission have deemed 12 countries adequate:

• Andorra
• Argentina
• Canada
• Faroe Islands
• Guernsey
• Israel
• Isle of Man
• Japan
• Jersey
• New Zealand
• Switzerland
• Uruguay

When a country is deemed adequate, personal data is able to flow freely between it and the EEA, with no extra precautions required. From a UK perspective, imports and exports of both goods and services rely heavily on the guaranteed free flow of personal data to and from the EU. The Department for Digital, Culture, Media & Sport estimates that EU personal data-enabled services exports from the UK to the EU are worth approximately £85 billion, and similar exports from the EU to the UK approximately £45 billion. Therefore, it is vital that this free flow of data continues.

On the 28th of June 2021, the Information Commissioner’s Office (ICOThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) confirmed that the UK has been granted adequacy by the European Commission. This was a welcome relief because, if not deemed adequate, organisations would of had to provide additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of the personal data. They should ensure that data subjects' rights will be respected and that the data subject has access to redress if they are not, and that the GDPR principles will be adhered to whilst the personal data is... in order to transferThe movement of data from one place to another, this could be, for example, from one data controller to another, or from one jurisdiction to another. personal data to and from the EU and processA series of actions or steps taken in order to achieve a particular end. the personal data of EU residents. This would have been costly, so could have impacted UK organisations’ ability to be competitive within the market when up against their European counterparts that do not have the same expenditures.

UK adequacy considerations

Although the UK has transposed the GDPR into its domestic law (the ‘UK GDPR’ entered into force on the 1^st of January 2021), this did not guarantee adequacy. A potential stumbling block came in the form of national security legislation, such as the Investigatory Powers Act 2016.

In two recent cases, the CJEU ruled to restrict the grounds for mass data retentionIn data protection terms, a defined period of time for which information assets are to be kept. for surveillance purposes. In the future, governments will only have grounds for mass data retention where they face a ‘serious threat to national security’. This does not align with the provisions within the Investigatory Powers Act, which allows for wider surveillance, albeit with safeguards in place. This is problematic because following the Court’s judgment, national security legislation can now be taken into account by the European Commission when making an adequacy assessment, which put an Adequacy decision in the UK’s favour in doubt.

Bridging period

The UK left the EU on 31^st December 2020, however, whilst the EU Commission considered whether to grant the UK Adequacy, the Brexit deal that was agreed provided a bridge period of up to six months whereby the existing rules on data transfers between the UK and EU remained in place. This meant that personal data could still flow freely between the EU and the UK without any additional safeguards in place, allowing for the least amount of disruption to businesses whilst an adequacy decision was reached, which occurred with just two days of the bridging period remaining.

Whilst no additional transfer safeguards were needed during the bridging period, not all GDPR obligations stayed the same after 1^st January.

Article 27

Since the UK formally left the EU,  organisations that were previously exempt from complying with Article 27 because they had an establishment in the UK have had to appoint an EU Representative. This means that if your organisation has a presence in the UK but not in the EU, and regularly processes the personal data of EU citizens, you will now be in breach of your GDPR obligations if you have not appointed an EU Rep.

Similarly, the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., which has its own Article 27, came into force on 1^st January 2021. Therefore, if your organisation regularly processes the personal data of UK citizens but does not have a presence within the UK, you are now required to appoint a UK Representative.

As the UK is now a 3rd CountryA country that is not part of the European Economic Area (EEA). in respect of EU data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data. (and vice versa), Article 27 applies in both of these scenarios, irrespective of an adequacy decision.

Conclusion

Whilst there was no guarantee that after the bridging period the UK would be deemed adequate and personal data allowed to flow freely; nor that the European Commission would have even come to a decision on this point by June 2021, fortunately with just two days to spare, Adequacy was granted.

This means that organisations can continue to transfer personal data between the UK and EU freely without requiring additional safeguards to be in place. In response to the news that the UK had been deemed adequate, Elizabeth Denham, the Information Commissioner, said “Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfullyIn data protection terms, it must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations. and transparently… The result is also a testament to the strength of the UK’s data protection regime.” Although this is, by all accounts, great news, it must be noted that this decision is not permanent. Adequacy has only been granted for the next four years, after which the EU Commission will review the UK’s data protection landscape again and either renew, or revoke, the UK’s adequate status. Although this is a long way off, it is something that organisations should bear in mind in the future.

In addition, perhaps more urgently, organisations must also consider, if they have not already, whether they are required to appoint an EU or UK Representative.