What is Adequacy?

NB: This blog was updated on 29/6/21 to reflect the EU Commission’s decision to grant the UK Adequacy.

Adequacy, the word that has been on everyone’s lips – well, perhaps not everyone’s.

Throughout the UK’s transition period out of the EU, the media has been filled with talk of fishing rights, import and export tariffs, and free movement of people. Meanwhile, those in the data protection world have been debating how Brexit will impact the free movement of data. In every debate on this topic, the word adequacy will invariably arise, described as the ideal solution to guarantee the free flow of data between the EU and UK. However, what does ‘Adequacy’ actually mean? This blog attempts to provide some clarity on just that.

What is adequacy and why is it important?

Adequacy, or Data Adequacy, is a status that the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. can grant to countries that are not part of the European Economic Area (EEA). To be deemed adequate, countries outside of the EEA (known as third countriesCountries that are not part of the European Economic Area (EEA).) must provide a level of personal dataInformation which relates to an identified or identifiable natural person. protection that is ‘essentially equivalent’ to the protection provided in EU law. In other words, the European Commission must be satisfied that EU residents’ personal data will be just as protected within the third countryA country that is not part of the European Economic Area (EEA)., as it is in the EU.

Currently, the European Commission have deemed 12 countries adequate:

• Andorra
• Argentina
• Canada
• Faroe Islands
• Guernsey
• Israel
• Isle of Man
• Japan
• Jersey
• New Zealand
• Switzerland
• Uruguay

When a country is deemed adequate, personal data is able to flow freely between it and the EEA, with no extra precautions required. From a UK perspective, imports and exports of both goods and services rely heavily on the guaranteed free flow of personal data to and from the EU. The Department for Digital, Culture, Media & Sport estimates that EU personal data-enabled services exports from the UK to the EU are worth approximately £85 billion, and similar exports from the EU to the UK approximately £45 billion. Therefore, it is vital that this free flow of data continues.

On the 28th of June 2021, the Information Commissioner’s Office (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) confirmed that the UK has been granted adequacy by the European Commission. This was a welcome relief because, if not deemed adequate, organisations would of had to provide additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... in order to transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. personal data to and from the EU and processA series of actions or steps taken in order to achieve a particular end. the personal data of EU residents. This would have been costly, so could have impacted UK organisations’ ability to be competitive within the market when up against their European counterparts that do not have the same expenditures.

UK adequacy considerations

Although the UK has transposed the GDPR into its domestic law (the ‘UK GDPR’ entered into force on the 1^st of January 2021), this did not guarantee adequacy. A potential stumbling block came in the form of national security legislation, such as the Investigatory Powers Act 2016.

In two recent cases, the CJEU ruled to restrict the grounds for mass data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. for surveillance purposes. In the future, governments will only have grounds for mass data retentionIn data protection terms, a defined period of time for which information assets are to be kept. where they face a ‘serious threat to national security’. This does not align with the provisions within the Investigatory Powers Act, which allows for wider surveillance, albeit with safeguards in place. This is problematic because following the Court’s judgment, national security legislation can now be taken into account by the European Commission when making an adequacy assessment, which put an Adequacy decisionA decision adopted by the European Commission on the basis of Article 45 of the GDPR, which establishes that a third country (i.e. a country not bound by the GDPR) or international organisation ensures an adequate level of protection of personal data. Such a decision takes into account the country's domestic law, its supervisory authorities, and international commitments it has... in the UK’s favour in doubt.

Bridging period

The UK left the EU on 31^st December 2020, however, whilst the EU Commission considered whether to grant the UK Adequacy, the Brexit deal that was agreed provided a bridge period of up to six months whereby the existing rules on data transfers between the UK and EU remained in place. This meant that personal data could still flow freely between the EU and the UK without any additional safeguards in place, allowing for the least amount of disruption to businesses whilst an adequacy decision was reached, which occurred with just two days of the bridging period remaining.

Whilst no additional transfer safeguards were needed during the bridging period, not all GDPR obligations stayed the same after 1^st January.

Article 27

Since the UK formally left the EU,  organisations that were previously exempt from complying with Article 27 because they had an establishment in the UK have had to appoint an EU Representative. This means that if your organisation has a presence in the UK but not in the EU, and regularly processes the personal data of EU residents, you will now be in breach of your GDPR obligations if you have not appointed an EU Rep.

Similarly, the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., which has its own Article 27, came into force on 1^st January 2021. Therefore, if your organisation regularly processes the personal data of UK residents but does not have a presence within the UK, you are now required to appoint a UK Representative.

As the UK is now a 3rd CountryA country that is not part of the European Economic Area (EEA). in respect of EU data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data. (and vice versa), Article 27 applies in both of these scenarios, irrespective of an adequacy decision.

Conclusion

Whilst there was no guarantee that after the bridging period the UK would be deemed adequate and personal data allowed to flow freely; nor that the European Commission would have even come to a decision on this point by June 2021, fortunately with just two days to spare, Adequacy was granted.

This means that organisations can continue to transfer personal data between the UK and EU freely without requiring additional safeguards to be in place. In response to the news that the UK had been deemed adequate, Elizabeth Denham, the Information Commissioner, said “Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations. and transparently… The result is also a testament to the strength of the UK’s data protection regime.” Although this is, by all accounts, great news, it must be noted that this decision is not permanent. Adequacy has only been granted for the next four years, after which the EU Commission will review the UK’s data protection landscape again and either renew, or revoke, the UK’s adequate status. Although this is a long way off, it is something that organisations should bear in mind in the future.

In addition, perhaps more urgently, organisations must also consider, if they have not already, whether they are required to appoint an EU or UK Representative.