The European Commission has today published a positive adequacy finding in respect of the UK’s data protection regime (the Decision). This means that personal data can continue to flow freely from the EU to the UK without the need for organisations to take further measures.
For the time-being, however, the Decision does not concern personal data transferred for United Kingdom immigration control purposes or which otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control (the Immigration Exemption). The Immigration Exemption has been widely criticised by commentators as being a controversial exemption in the Data Protection Act 2018. This resulted in legal action being taken by the Open Rights Group (ORG) against the government. The ORG argued that the exemption was being used by the Home Office to deny people access to their personal data and was “far too broad and imprecise”. On 26 May 2021, the UK Court of Appeal confirmed that it agreed with the ORG, stating that the Immigration Exemption, in its current form, was incompatible with the UK law. The court said that the Immigration Exemption did not contain the necessary legislative safeguarding measures which are listed in Article 23(2) of the UK General Data Protection Regulation: “the Exemption itself contains nothing, specific or otherwise, about any of the matters listed in Article 23(2). Even assuming, without deciding, that it is permissible for the “specific provisions” required by Article 23(2) to be contained in some separate legislative measure, there is no such measure”. The Decision notes that once the UK has remedied this incompatibility then the immigration exemption and the scope of the Decision will be reassessed.
The Decision will apply for an initial period of four years. It may be extended by another four years if the Commission’s monitoring of the Decision reveals that the UK still maintains adequate protection for personal data. However, if the Commission thinks that the UK no longer maintains adequate protections and the UK authorities fail, within a specific timeframe, to take appropriate corrective actions, the Commission may partially or completely suspend or repeal the Decision.
Whilst the Decision is undoubtedly good news, there remain areas of the UK data protection regime which may still be subject to legal challenge and pose a threat to the UK’s long-term adequacy status. For example, privacy rights groups and the EU parliament have both expressed concerns over the UK’s bulk surveillance regime. However, any such challenges would take some time to work their way through the judicial process and to the Court of Justice of the European Union.
More immediate threats may come from the UK government which is reviewing the UK’s approach to regulation in a post-Brexit world.
The Taskforce on Innovation, Growth and Regulatory Reform (led by various Members of Parliament) published a report to the Prime Minister last month calling for a “bold new UK regulatory framework based on core principles of UK law”. The report suggested that the General Data Protection Regulation (GDPR) should be replaced with a new UK framework for data protection which is “more proportionate”. The report criticised GDPR as “prescriptive, and inflexible and particularly onerous for smaller companies and charities to operate”.
In addition, the UK government has publically indicated that it wants to make its own “UK adequacy arrangements with new partners around the world” to make it “easier for organisations to send data internationally”. This has raised concerns that the UK may be used as a “back door” to transfer EU data to “unsafe” jurisdictions. And the Decision is acutely aware of this concern. The Commission says that it will “closely monitor the situation” to “assess whether the different transfer mechanisms are used in a way that ensures the continuity of protection, and, if necessary, take appropriate measures to address possible adverse effects for such continuity” but that “it is expected that problematic divergence could also be avoided through cooperation, exchange of information and sharing of experience, including between the ICO and the EDPB”.
Data protection practitioners may therefore breathe a sigh of relief that a last minute adequacy decision has been reached; however, future political developments may have the capacity to shake its stability.