Technology & eCommerce Regulation in the Spotlight

The European Commission has formally adopted two United Kingdom adequacy decisions under the General Data Protection Regulation (“GDPR“) and the Law Enforcement Directive (“LED“). The adoption of the adequacy decision means, in practice, that the transfer of personal data from the EU to the UK can continue freely, without the need to rely upon other third country transfer mechanisms. The decisions come just before the conditional interim regime under the EU-UK Trade a Cooperation Agreement, allowing the free flow of data from the EU to the UK, was set to expire.

According to the Commission, these decisions facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information (e.g. for cooperation on judicial matters).

As part of its assessment, the Commission concluded that the UK provides adequate level of protection for personal data, stating that the principles, rights and obligations of the GDPR and the LED are fully incorporated in UK’s national data protection regime. The Commission highlighted the fact that the UK is subject to the jurisdiction of the European Court of Human Rights and is committed to the international treaties addressing data protection as key elements in its resolution to adopt the decisions.

Despite the Commission’s strict approach regarding the disclosure of personal data to public authorities for national security reasons, which was followed by the publishing of the Standard Contractual Clauses (as we recently updated), and although the European Data Protection Board (EDPB) concerns regarding the UK’s surveillance regime, the Commission confirmed that the UK law provides “strong safeguards” in this respect. Notably, following a recent judgement by the UK Court of Appeal regarding the immigration exemption under the Data Protection Act of 2018, transfers of personal data for the purposes of UK immigration control will be excluded from the decision, at least until remedied.

Unlike prior adequacy decisions, the UK adequacy decisions include a ‘sunset clause’, which limits the duration of the decisions for four years. After this period, the decisions will expire and the adequacy findings will need to be renewed, subject to the UK continuing to ensure an adequate level of data protection. During this period, the Commission will closely monitor legal developments in the UK, and if the UK deviates from the level of protection currently in place, the Commission has the authority to intervene, suspend, repeal or amend the adequacy decisions at any time.

Please feel free to contact us for assistance with the implications of these recent regulatory developments for your business.

Kind regards,

Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation