GS Verde Law | Raising investment Wales & South West | Acquiring a business Wales & South West | Selling a business Wales & South West

GS Verde Law

Data protection: EU Commission adopts adequacy decisions for the UK

posted 29th June 2021

Posted 3 years ago

By Lorna Bolton

Articles

In this article, Lorna Bolton, Director of Commercial & IP at law firm Greenaway Scott (part of the GS Verde Group), explains the background to the new adequacy decisions, what their adoption means for your business and provides some thoughts for the future.

On 28 June 2021 the European Commission (Commission) adopted two adequacy decisions in respect of transfers of personal data from the EU/EEA to the UK (Adoption). The Adoption is a significant step on a long road over recent years concerning transfers of personal data. Indeed, many organisations in the UK and EU/EEA welcome the Adoption as it brings an end to the recent uncertainty around transfers of personal data from the EEA/EU to the UK.

However, whilst the Adoption is a positive step, it is time limited and is likely not immune from legal challenges. Therefore, as a business in the UK receiving personal data from the EU/EEA, it is prudent to understand the significance of the Adoption and potential future developments in this area.

BACKGROUND
When the UK was a member of the EU, the GDPR applied to the UK and all other member states. The UK then of course departed from the EU. The EU Withdrawal Act 2018 functioned to take a snapshot' of all EU law as it existed on the day the UK departed from the EU on 31 December 2020 (at 11:00 pm) and retain the same in UK law as retained EU law. This retained EU law includes the GDPR, which is now known as the UK GDPR to distinguish it from the original GDPR, now referred to as the EU GDPR.

Under the EU GDPR, transfers of personal data from the EU/EEA to a 'third country' which now includes the UK as it is no longer a member of the UK are only lawful if:

1. the Commission has issued an appropriate adequacy decision in respect of the third country;

2. 'Appropriate Safeguards' (as defined under the EU GDPR) are in place. There are several 'Appropriate Safeguards including Binding Corporate Rules and Standard Contractual Clauses issued by the EU Commission; or

3. one of a number of quite specific and narrow exemptions under the EU GDPR is relied upon However, most of the time such exemptions are commercially impractical to rely upon.

Prior to the end of the transition period on 31 December 2020, the UK passed laws automatically recognising members of the EU and EEA as adequate in respect of data protection meaning UK businesses could continue transferring personal data to the EU/EEA unhindered as if the UK was still a member state of the EU.

On 24 December 2020 the EU and the UK entered into a Trade and Co-operation Agreement (the Agreement). The Agreement created a bridging period extendable to 30 June 2021 during which transfers of personal data from the EEA/EU to the UK were deemed adequate under the EU GDPR (Bridging Period) so as to avoid disruption to businesses at the end of the transition period.

So, after expiry of the Bridging Period UK businesses would either need a suitable adequacy decision issued by the EU or they would need to implement 'Appropriate Safeguards' or rely on a specific exemption under the EU GDPR in order to continue transferring personal data from the EU/EEA.

WHAT DO THE ADEQUACY DECISIONS MEAN FOR MY BUSINESS?
If your business relies upon transfers of personal data from the EEA/EU to the UK, then hopefully it will mean saving a substantial amount of time and money!

If the adequacy decision had not been issued by the Commission before expiry of the Bridging Period, then unless your business was able to rely upon Binding Corporate Rules already in place, it would have had to incur time and cost auditing its cross-border data transfers from the EEA/EU and implementing another 'Appropriate Safeguard' under the EU GDPR unless it was able to rely on the above mentioned narrow exemptions. The most likely 'Adequate Safeguard' your business would have chosen to implement would be entering into Standard Contractual Clauses issued by the Commission with the business(es) or individual(s) transferring personal data from the EEA/EU. In addition to putting this paperwork in place, you may have been asked to assist such business(es) or individual(s) in completing an assessment of UK data protection laws required by a judgment of the CJEU colloquially called Schrems II which supplements the EU GDPR.

Fortunately the Adoption means that for the moment your business can avoid all of that, and personal data transfers from the EEA/EU can continue unhindered!

THOUGHTS FOR THE FUTURE
First, the adequacy decisions will be subject to review after four years and contain a sunset clause. This means if the UK diverges too much from the EU's data protection standards over the next four years, one or both adequacy decisions may not be renewed.

Second, some commentators think it is only a matter of time before one or both adequacy decisions are challenged by an EU citizen in an EU court. This could result in a supervisory authority in an EU member state or the EEA suspending transfers of personal data from it to the UK or a reference to the EU's highest court, the CJEU, which could strike down one or both adequacy decisions altogether.

Third, the Adoption wasn't without bumps. In its resolution adopted 01 June 2021, the European Parliament noted 'a high level of indiscriminate surveillance' by UK authorities. Presumably the Parliament was referring to exemptions in UK data protection laws for national security and immigration purposes and bulk surveillance powers in the Investigatory Powers Act 2016. However, by making the Adoption the Commission has decided that as it stands the UK has sufficient safeguards to protect EU citizens' data protection rights. These exemptions are linked to the second point above in that, in the view of some commentators, if the CJEU were to review them as part of a reference to it by an EU citizen, it could persuade the CJEU to strike out the Adoption.

HOW CAN GREENAWAY SCOTT HELP?
Greenaway Scott's Commercial solicitors are experienced in advising a range of clients on many aspects of data protection in relation to commercial contracts and corporate transactions. If your business needs assistance in relation to transfers of personal data or data protection generally, please contact: LBolton@greenawayscott.com.

Lorna Bolton, Director of Commercial & IP, Greenaway Scott
Greenaway Scott is part of the GS Verde Group, a corporate finance led deal-making group.

Client testimonials...

It was a great experience to have the team at Greenaway Scott act on my behalf. I found them to be commercially minded, professional and committed to achieving the end result. I would be very pleased to recommend them.

Dean Stewart, Pinnacle

Working with Greenaway Scott has been an absolute pleasure from start to finish. They are one of the most professional organisations I’ve ever worked with, and could not recommend them highly enough.

Phil Stephens, Socket Store Limited

We recently hired Greenaway Scott to handle our purchase of Arun Electronics Ltd. Our experience of the team led by Leanne Thomas was wholly positive with the process being handled professionally and sensitively. Leanne’s team were aware of the potential pitfalls, kept me informed and were thorough and diligent, leaving no stone unturned and dealt competently and considerately with negotiations. It was easy to contact the team and ‘nothing was too much trouble’. The fee was fixed at the start and there were no ‘nasty surprises’ at the end.

Tim Wegener, MD, Knight Fire & Security Products Ltd

It was an absolute pleasure to have the team at Greenaway Scott acting on my behalf. Nothing was ever too much trouble and the whole experience was fantastic due to their conscientious and professional approach at all times. I would recommend them in a heartbeat

Richard Jones, Paramount Office Interiors Limited

We have been using Greenaway Scott as our legal counsel for over a year now, and have found them to be incredibly useful. They have helped us with our shareholder’s agreement over 2 investment rounds now, and with everything else – from employee contracts to our platform terms and conditions. They’re always on hand to answer any legal questions that I might have, and have gone above and beyond to deliver for us, time and time again.

Richard Wooley CEO, Paperclip App Limited

Greenaway Scott provides a strong service across a range of corporate and commercial matters. The firm is particularly noted for work at the nexus of corporate and intellectual property and is therefore a solid choice for venture capital work.

Legal 500

We’ve been working with Greenaway Scott now for several years to assist with a variety of challenges across multiple sectors within our group. Their commercial approach, technical ability and drive to deliver second to none, we have been nothing short of impressed with every case handled by the team at Greenaway Scott and would highly recommend them in all legal aspects.

Jac Bowen, Marketing Manager, Trade Centre Wales

Our first experience of using GS was in connection with the buy-out of the business from our holding company. We were really impressed with the way in which this was handled and have been a broad range client ever since!

Rob Jenkins, Finance Director, Integra Business Solutions Ltd

We are a national company dealing with large numbers of new clients on a weekly basis. The team at Greenaway Scott have been invaluable in advising us on contract law and the commercial implications thereof. We have found them reactive, professional and competent in every case. Greenaway have become a vital part of our team here at Santia.

Eddie Deverill, Santia Asbestos Management Limited

I enjoy working with the team at Greenaway Scott; I’ve received excellent legal advice and I am always impressed with the speed at which they respond to my requests.

Dr. Matthew Lakelin, Chief Scientific Officer, TrakCel

Bristol Office

The Generator Building
Counterslip
Redcliffe
Bristol BS1 6BX
Tel: +44 0117 374 9560

Cardiff Office

The Maltings
East Tyndall Street
Cardiff
CF24 5EA
Tel: +44 330 107 8498

Dublin Office

10 Upper Pembroke Street
Dublin 2
Dublin
Ireland
D02 EY66
Tel: +44 330 107 8498

Satellite Offices

Oxford Office
The Innovation Centre, 99 Park Drive, Milton Park, Oxfordshire OX14 4RY
Tel: +44 01235 841 578

London Office
7 Bell Yard, London, WC2A 2JR
Tel: +44 020 7813 0218, Fax: 020 7183 3073

GS Verde Law is the trading name of GS Verde Law Limited, a limited company (registration number: 8259989) which is authorised and regulated by the Solicitors Regulatory Authority under the Solicitors Code of conduct 2011 (SRA number: 573789) VAT registration number 153 8487 81.
Copyright © 2024 GS Verde Law. All Rights Reserved.

Website Design by Webfactory