When the United Kingdom officially left the European Union at 11pm GMT on 31 January 2020, one of the many loose ends still trailing was the UK’s status regarding transfers of personal data from the EU. The UK had not yet been granted the valuable GDPR ‘adequacy decision’ by the European Commission which would allow British organisations to import personal data of people in Europe into the country without any additional safeguards being applied, such as making the data transfers subject to EU proforma contract provisions (known as ‘Standard Contractual Clauses’ or ‘SCCs’) or approved Binding Corporate Rules (‘BCRs’).
It was only after a rather agonising wait of 6 months that, in June 2021, the Commission issued its adequacy decision (there is actually a second decision, with regard to personal data in criminal investigations under the Law Enforcement Directive, but this blog will only refer to the GDPR one). This confirmed that the privacy regime in the UK offered an essentially equivalent level of protection for individuals’ data as that which they had in the EU. However, that decision came with strings attached, in the form of a ‘sunset clause’ which provided that it was time-limited to four years from the date of granting (i.e. to June 2025). At the end of that period, the EU would assess whether the adequacy arrangement was functioning as intended and that nothing had changed in the intervening years to alter the UK’s ‘essentially equivalent’ status in the Commission’s eyes. If the outcome of this review was positive, the EU would agree to extend the term of the adequacy decision. If the Commission determined it was not working – e.g. it had been undermined for some reason – then it would be allowed to expire.
Non-renewal of the decision would be no small matter for UK businesses. The administrative and legal costs of putting in place alternative mechanisms (including SCCs or BCRs) to cover the millions of transfers of personal data that occur every day between the EU and UK, together with the cost to the UK economy of the disruption in trade that would result from the decision not being extended, have been estimated at between £1 billion and £1.6 billion.
So, you would expect that all UK stakeholders – especially the Government – would be hyper-vigilant not to do anything to jeopardise this hard-won and precious designation, however this has not been the case. In 2022, the Government set the cat among the pigeons by introducing its Data Protection and Digital Information Bill (the ‘DPDI Bill’) into Parliament. The DPDI Bill aims to streamline several of the original GDPR’s requirements, which were transposed into the UK GBPR on Brexit, to lighten the administrative burden of data protection (DP) compliance on British businesses and thereby make them more competitive. However, the DPDI Bill, if passed in its current form, has been described by some commentators as posing a real threat to the UK’s adequacy status, due to its divergence from/dilution of certain key elements of the EU GDPR, such as the definition of personal data, the role of data protection officers (DPOs) and the independence of the privacy regulator, the Information Commissioner’s Office (ICO). Any EU decision to renew the UK’s adequacy finding will be based not on ease of compliance with the UK GDPR, but rather its protection of data subjects’ rights and freedoms. But it has been said that in the name of cutting ‘red tape’, the Bill erodes some of those rights and freedoms quite significantly.
Although he continues to say that he broadly supports the Bill, the Information Commissioner has recently expressed misgivings about its not specifying what types of processing constitute ‘high risk’ (an undefined term used more than once in key parts of the draft legislation), and its removal of a future-proofing power which the Commissioner had previously suggested to allow the ICO to designate further, additional processing activities as “high risk”. The Commissioner also has reservations about the power the Bill grants to the Government’s Department of Work and Pensions to compel banks and other institutions to provide data about individuals suspected of benefits fraud.
After nearly two years, the Bill is still grinding its way through Parliament (it is currently with the House of Lords for its Second Reading). In March of 2024, the Lords launched an inquiry by its European Affairs Committee into the UK’s adequacy decision. This enquiry is focused on: the values of the existing adequacy regime and possible challenges to renewal of the UK’s current arrangement; the implications of any such non-renewal (or what it calls a “no or disrupted UK-EU data adequacy scenario”); and what can be learned from other countries’ experience with the adequacy system.
The European Affairs Committee’s Call for Evidence invited the views of “anyone with expertise in or experience of” data adequacy on a list of around a dozen questions concerning the adequacy finding. On 22 April, the Committee received its first substantial official response from a European Union institution – the LIBE (Civil Liberties, Justice and Home Affairs) Committee of the European Parliament. In a written submission to the House of Lords committee inquiry, the LIBE Committee voiced serious concerns about a number of issues that it thought could result in the withdrawal by the European Commission of the UK’s adequacy status, with all the negative consequences that would arise from such a move.
The LIBE committee’s letter started by criticising three aspects of the DPDI Bill which it considers “controversial”:
- One of the Bill’s proposals to change the definition of personal data, which specifies that pseudonymised data in the hands of a processor or other person who is not the controller of it will no longer be considered personal data.
- Undermining the independence of the ICO (which itself is to be structurally reformed), due to the Bill imposing requirements on the Commissioner when exercising their powers to protect personal data also to have regard to other interests such as promoting innovation and competition, public safety, the international agenda of the UK Government, and to follow a statement of priorities laid down by the Secretary of State. The LIBE panel believes that such considerations are outside the Commissioner’s competence and could compromise their political neutrality.
- A power of the Secretary of State to designate other third countries or international organisations as having adequate DP laws, regardless of whether the European Commission has awarded the country or organisation adequacy status (the UK has already done this with Gibraltar, which does not have an adequacy decision from the EU). The LIBE Committee is “strongly concerned” (it uses a variant of the word ‘concerned’ 11 times in a 10-page document) that in such cases, the UK’s adequacy status could lead to the onward transfer of EU people’s data to countries or international organisations not deemed adequate under EU law.
More generally, the European Parliament committee’s evidence has some quite impactful things to say about the ICO’s record on enforcement of the GDPR (in its EU and then post-Brexit UK forms):
‘The UK data protection supervisory authority, the ICO, is one of the largest in Europe. However, according to experts … despite having a lot of capacity and resources, ICO enforcement is currently rather weak. The LIBE Committee is concerned that such a lack of enforcement is a structural problem … In practice, this has meant that a large number of breaches of data protection law in the UK have therefore not been remedied.’
How the UK regulator responds to such criticism will be interesting to note.
Finally, the LIBE Committee’s submission reminds the reader that the UK’s membership of the European Convention on Human Rights (ECHR), and therefore its compliance with the rulings of the European Court of Human Rights (ECtHR), were important factors in determining its adequacy. Therefore, given the recent discussion, however speculative, among certain members of the UK’s governing party (including the Prime Minister) about the UK potentially withdrawing from the Convention and ECtHR if its Rwanda scheme is opposed by the Strasbourg court, the LIBE Committee goes on to state:
“any possible changes to the UK's Human Rights Act or the UK’s departure from ECHR jurisprudence would, in the opinion of the LIBE Committee, have a negative impact on the [sic] UK adequacy”.
But what sway does the opinion of the LIBE Committee actually have? – well, it is a well-informed and respected stakeholder group, but its assessment is by no means conclusive. Don’t forget that it strongly objected to the UK being granted data adequacy in the first place, to no avail.
Following the Prime Minister’s recent announcement of a snap General Election, the DPDI Bill is not going to be passed before Parliament is dissolved. If the Conservatives are re-elected on 4 July, then the Bill will continue its passage through Parliament and may be enacted in the next parliamentary session. If there is a change of Government however, it is very unlikely that the Bill will become law in its current form, and it may be scrapped altogether.
How URM can help?
Maintaining GDPR compliance through changes to the DP regime can be difficult for any organisation. However, with a 19-year track record of assisting countless organisations’ compliance efforts through the many changes to UK DP law in that time (and with DP compliance in general), URM is able to provide effective and informed GDPR consultancy to help you remain compliant, regardless of how the UK DP landscape is changed by the DPDI Bill.
Our team of highly qualified DP practitioners can offer a range of GDPR consultancy services to help ensure your organisation is adherent to the Regulation, such as conducting a gap analysis of your processing activities against GDPR requirements to establish where you are and are not currently compliant. Our GDPR consultants can also assist with your completion of key compliance activities, such as producing a record of processing activities (ROPA), and conducting data privacy impact assessments (DPIAs) and data transfer impact assessments (DTIAs). We can also help you respond to data subject access requests (DSARs) with our DSAR request redaction service. If your organisation would benefit from ongoing support, we can offer a virtual DPO service which provides you with access to an entire team of DP specialists.
Meanwhile, if you would like to enhance your own understanding of DP and the GDPR, we regularly deliver a range of DP-related training courses, all of which are led by a practicing GDPR consultant. To gain an industry recognised qualification in DP, our BCS Certificate in Data Protection (CDP) course will prepare you to sit the BCS administered exam and provide you with a strong understanding and practical interpretation of UK DP law. You can also attend our training courses conducting DPIAs, DTIAs, and our 1-day ‘How to Manage DSARs’ training course, all of which are aimed at providing with the skills necessary to complete and manage these vital compliance activities when you return to your work environment.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Is there a catch-all international standard that effectively proves external verification of data protection compliance?
The EU GDPR and the UK DPA both require organisations to protect and ensure the privacy of any personal data which they process.
URM’s blog breaks down the fines issued by the ICO in 2023 for data protection breaches, highlighting emerging trends in their approach to enforcing compliance.