The European Commission has finally approved two decisions on 28 June granting the United Kingdom the cherished status of having “adequate” data protection laws so that transfers of personal data from the European Union are not restricted. The decisions follow months of negotiations after the Brexit transitional period ended on 31 December 2020 and before the temporary adequacy bridge is due to end on 30 June 2021.
The United Kingdom’s decisions, for processing under the UK implementation of the General Data Protection Regulation (GDPR) and under the Law Enforcement Directive, are limited to a four-year term, which is renewable subject to the United Kingdom retaining an adequate legal framework to protect personal data.
The decisions are based on the following considerations:
Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. The European Commission will reassess the need for this exclusion once the situation has been remedied under UK law.
As we discussed in our prior LawFlash, the European Commission has now approved the new Standard Contractual Clauses for transfers of data from the European Union to “third countries” that are not deemed to have adequate data protection laws, such as the United States. The European Data Protection Board has also released its final guidance on measures to assess compliance with the GDPR and the use of SCCs by organisations. These EU SCCs are not, however, approved for use by UK organisations transferring personal data protected under the UK GDPR. This means that there is a real possibility that organisations will need additional data transfer agreements for the transfer of UK-protected personal data with EU-protected personal data.
The Information Commissioner’s Office (ICO) has announced it will publish a UK set of SCCs this year. At this point, we understand that the ICO is not intending to approve the EU SCCs, which could be logistically challenging for UK organisations transferring comingled personal data from the United Kingdom and Europe.
The data transfer landscape remains complex for multinationals. Organisations have a transitional period of 18 months to replace the old EU SCCs and we anticipate that the ICO will publish the UK SCCs this year. Organisations also need to complete risk assessments and the implementation of any required safeguards to protect the data on transfer notwithstanding the SCCs themselves.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
 Open Rights Group v Secretary of State for the Home Department and Secretary of State for Digital, Culture, Media and Sport  EWCA Civ 800.