Brexit briefing | 01 Jul 2021 |

Brexit: UK gets data adequacy decision - but unfinished business remains

In a welcome move, the European Commission has formally approved an adequacy decision for the UK on data protection. However, as we explain below, this may not be the end of the story as regards the post-Brexit treatment of EU personal data – and there is still unfinished business in a number of other important areas beyond data protection.

The data adequacy decision

The European Commission's decision means that the UK's data protection regime has been deemed sufficient to protect EU personal data. This is important because without such a decision, EU data controllers and processors would have had to put in place additional safeguarding mechanisms, which are likely to involve significant additional paperwork, especially in light of the EU's recently released new standard contractual clauses. The only reason they did not have to take these measures with effect from 1 January this year (when the Brexit transition period ended) was the inclusion of the so-called "data bridge" in the UK-EU Trade and Cooperation Agreement, which provided a 6 month "grace period" for businesses (and has enabled the European Commission to complete its assessment of the UK's data protection framework). However, there are several caveats:

Ongoing monitoring: The European Commission has the power to suspend, repeal or amend the decision if it "has indications that an adequate level of protection is no longer ensured". Whilst this is standard language in decisions of this type, it comes against a background of calls on the UK Government to diverge from the EU on data protection (see for example, the recent report of the Taskforce on Innovation, Growth and Regulatory Reform). If implemented, such changes could prompt the Commission to reassess the UK's legislative framework (so an attempt to make compliance with data protection easier within the UK could, ironically, make it more difficult to deal with transfers of EU personal data from businesses in the EU).
Sunset clause: The decision also contains a sunset clause, limiting its duration to 4 years after which time it will expire unless renewed (which will require a further review of UK laws and practices at that stage). This is the first time an adequacy decision has included such language and provides the EU with a further opportunity to reassess the UK's data protection landscape, including its onward transfer regime and the UK's approach to granting adequacy to third countries.

Possible legal challenge

The approved adequacy decision could be legally challenged by the Court of Justice of the European Union (CJEU) and be declared invalid in a similar way to the EU-US Privacy Shield. Such a challenge is anticipated by some, particularly as the UK's surveillance laws have already received recent challenge by the CJEU in the Privacy International case. In that case, the CJEU ruled that EU law did not permit the UK to instruct electronic communication service providers to undertake bulk collection of e-comms data (the general and indiscriminate transmission of traffic data and location data) for the purpose of safeguarding national security. This successful challenge to the UK's surveillance practices may encourage the legal testing of a UK adequacy decision. Other possible grounds for an appeal are suggested in a recent European Parliament resolution expressing concerns about the adequacy of the UK's existing framework.

Other unfinished business

Data protection was not the only item of business left on the "still to do" list when the Brexit transition period ended on 31 December 2020. Significant unfinished business remains in the following areas:

As regards the longer term, there is also unfinished business in relation to regulatory reform and trade policy, where the UK has signaled a desire to take advantage of its freedom to regulate as it sees fit and to enter into new trade agreements with third countries not covered by the EU's network of such arrangements. These Brexit-related policy initiatives are likely to prove challenging and will take time to deliver.

Read Louisa Chambers Profile