What is Adequacy?

AdequacyA status granted by either the EU Commission (EU) or UK government (UK) to third countries that provide personal data protection that is essentially equivalent to that provided in EU or UK law...., the word that has been on everyone’s lips – well, perhaps not everyone’s.

Throughout the UK’s transition period out of the EU, the media has been filled with talk of fishing rights, import and export tariffs, and free movement of people. Meanwhile, those in the data protection world have been debating how Brexit will impact the free movement of data. In every debate on this topic, the word adequacy will invariably arise, described as the ideal solution to guarantee the free flow of data between the EU and UK. However, what does ‘Adequacy’ actually mean? This blog attempts to provide some clarity on just that.

What is adequacy and why is it important?

Adequacy, or Data Adequacy, is a status that the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law.... can grant to countries that are not part of the European Economic Area (EEA). To be deemed adequate, countries outside of the EEA (known as third countriesCountries that are not part of the European Economic Area (EEA)....) must provide a level of personal dataInformation which relates to an identified or identifiable natural person.... protection that is ‘essentially equivalent’ to the protection provided in EU law. In other words, the European Commission must be satisfied that EU residents’ personal data will be just as protected within the third countryA country that is not part of the European Economic Area (EEA)...., as it is in the EU.

Currently, the European Commission have deemed 12 countries adequate:

• Andorra
• Argentina
• Canada
• Faroe Islands
• Guernsey
• Israel
• Isle of Man
• Japan
• Jersey
• New Zealand
• Switzerland
• Uruguay

When a country is deemed adequate, personal data is able to flow freely between it and the EEA, with no extra precautions required. From a UK perspective, imports and exports of both goods and services rely heavily on the guaranteed free flow of personal data to and from the EU. The Department for Digital, Culture, Media & Sport estimates that EU personal data-enabled services exports from the UK to the EU are worth approximately £85 billion, and similar exports from the EU to the UK approximately £45 billion. Therefore, it is vital that this free flow of data continues.

If not deemed adequate, organisations will have to provide additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of the personal data. They should ensure that data subjects' rights will be respected and that the data subject has access to redress if they are not, and that the GDPR principles will be adhered to whilst the personal data is... in order to transferThe movement of data from one place to another, this could be, for example, from one data controller to another, or from one jurisdiction to another.... personal data to and from the EU and processA series of actions or steps taken in order to achieve a particular end.... the personal data of EU residents. This will be costly, so may impact UK organisations’ ability to be competitive within the market when up against their European counterparts that do not have the same expenditures.

Will the UK be deemed adequate?

Although the UK has transposed the GDPR into its domestic law (the ‘UK GDPR’ entered into force on the 1^st of January 2021), this does not guarantee adequacy. A potential stumbling block comes in the form of national security legislation, such as the Investigatory Powers Act 2016.

In two recent cases, the CJEU ruled to restrict the grounds for mass data retentionIn data protection terms, a defined period of time for which information assets are to be kept.... for surveillance purposes. In the future, governments will only have grounds for mass data retention where they face a ‘serious threat to national security’. This does not align with the provisions within the Investigatory Powers Act, which allows for wider surveillance, albeit with safeguards in place. This is problematic because following the Court’s judgment, national security legislation can now be taken into account by the European Commission when making an adequacy assessment, putting an Adequacy decision in the UK’s favour in doubt.

What is the situation now?

The UK left the EU on 31^st December 2020, however, the Brexit deal that has been agreed has provided a bridge period of up to six months whereby the existing rules on data transfers between the UK and EU will remain in place. The hope is that by June 2021 the European Commission will have granted the UK adequacy, thus avoiding any disruption to data flows.

So, at present, personal data can still flow freely between the EU and the UK without any additional safeguards in place. Whilst no additional transfer safeguards are needed as of yet, not all GDPR obligations have stayed the same since 1^st January.

Article 27

Since the UK has now formally left the EU,  organisations that were previously exempt from complying with Article 27 because they had an establishment in the UK will now have to appoint an EU Representative. This means that if your organisation has a presence in the UK but not in the EU, and regularly processes the personal data of EU citizens, you will now be in breach of your GDPR obligations if you have not appointed an EU Rep.

Similarly, the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU...., which has its own Article 27, came into force on 1^st January 2021. Therefore, if your organisation regularly processes the personal data of UK citizens but does not have a presence within the UK, you are now required to appoint a UK Representative.

As the UK is now a 3rd CountryA country that is not part of the European Economic Area (EEA).... in respect of EU data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data.... (and vice versa), Article 27 applies in both of these scenarios, irrespective of an adequacy decision.

Conclusion

There is no guarantee that after this bridging period the UK will be deemed adequate and personal data will be allowed to flow freely; nor is there any certainty that the European Commission will have come to a decision on this point by June 2021. Currently, the fastest adequacy assessment took 18 months for Argentina, but some have taken up to five years.

It is therefore recommended by the ICOThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.... that organisations should plan for the possibility that the UK will be deemed inadequate, if they wish to continue processing EU data subjects’ data past the 30^th of June. However, perhaps more urgently, organisations must also consider, if they have not already, whether they are required to appoint an EU or UK Representative.