8.An adequacy assessment is the specific legal process by which the European Commission examines a third country’s laws, practices and international commitments, to establish whether it provides a level of protection that is essentially equivalent to that of the EU. This results in the third country being given an adequacy decision. The adoption of an adequacy decision involves
9.If the UK requests a decision of adequacy, it will be assessed under the GDPR criteria. These include an assessment of the data protection law, the degree of independence of the data protection authority, the administration of the law, the activities of national security and intelligence agencies, and whether or not there was protection and redress for EU residents.16 An adequacy decision must comply with the EU Treaties, the Charter of Fundamental Rights,17 the GDPR and all corresponding CJEU caselaw. It would be subject to periodic review, at least every four years.18 The GDPR states that
The protection of natural persons in relation to the processing of personal data is a fundamental right.
And refers to Article 8(1) of the Charter of Fundamental Rights of the EU.19 Elizabeth Denham told us that she expected the Commission to scrutinise adequacy decisions more robustly under GDPR.20
10.The effect of an adequacy decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data.21 Countries which have received data adequacy decisions include: Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. There are agreements with Canada for commercial organisations, and the Privacy Shield framework for data transfers with the US. James Mullock, Partner, Bird and Bird, said that, to his knowledge, no country had lost a decision of adequacy once it had been awarded.22
11.It has been suggested that the UK securing an adequacy decision may be at risk due to the UK Government’s intention to not incorporate the EU Charter of Fundamental Rights (specifically Article 8) into UK law, and its national security legislation.23 While James Mullock said not incorporating the Charter would make it “more difficult” to secure an adequacy decision, Stephen Hurley said “it should not hopefully make a difference in practice” while Elizabeth Denham said it “would have been a good signal”. Giles Derrington said that Section 2 of the Data Protection Bill has been a “significant step”.24 Mr Derrington said the Commission would consider this to be a question of fundamental rights and as part of the adequacy process the UK will have:
to prove that our national security apparatus is secure and that third country transfers are not happening to places not deemed adequate by the EU.25
Fredrick Erixon, of the European Centre for International Political Economy (ECIPE), said that while he would be “very surprised if there were no recognition of adequacy of the UK”, it is likely that several Governments in the EU will raise concerns about data protection in the UK and “especially the use of mass surveillance techniques”.26
12.The US and EU Commission agreed the ‘Safe Harbour’ decision in 2000 to enable personal data to move from the EU to the US. This was challenged in 2013 by an Austrian privacy campaigner called Max Schrems.27 The CJEU decided the Safe Harbour framework did not provide an adequate level of protection “essentially equivalent” to that assured within the EU, and, in 2015 the CJEU declared the Commission’s adequacy decision in respect of Safe Harbour invalid. This meant international transfers under the Safe Harbour framework were unlawful, and led to a period of legal uncertainty over the legal basis for transfers of personal data from the EU to third countries.
13.James Mullock said that the Schrems challenge did not necessarily lead to data transfers being stopped, but rather companies took a risk in carrying on and hoping they would be “cut some slack” by regulators who recognised the position they were in, as long as they were seen to be “trying to patch the position”. This meant putting in place alternative mechanisms, such as model contracts.28 The EU and the US agreed a new framework for transatlantic data transfers to replace Safe Harbour, called ‘Privacy Shield’, in 2016.29
14.The EU-US Privacy Shield framework became operational on 1 August 2016 and includes:
15.Elizabeth Denham explained that the UK had reviewed the legal framework around security and intelligence-gathering, resulting in a new independent Investigatory Powers Commissioner, and the Government had committed to improve the transparency and accountability of the intelligence services. The ICO took part in the assessment of the Privacy Shield and it can anticipate the likely questions that the UK will be asked.31
16.The EU’s existing arrangements for providing for data flows with third countries typically involve a decision of adequacy from the European Commission. Since the CJEU decision on the US-EU Safe Harbour agreement, a decision of adequacy will require the third country to provide protection of fundamental rights essentially equivalent to that provided in the EU. A range of countries have received an adequacy decision, ranging from Switzerland to Argentina to New Zealand. The United States and Canada have limited arrangements.
16 Article 45 GDPR Transfers on the basis of an adequacy decision
17 Article 51 of the Charter of Fundamental Rights states “The provisions of this Charter are addressed to the institutions, bodies, offices and agencies of the Union with due regard for the principle of subsidiarity and to the Member States only when they are implementing Union law. They shall therefore respect the rights, observe the principles and promote the application thereof according to their respective powers and respecting the limits of the powers of the Union as conferred on it in the Treaties”.
18 Article 45(3)
19 GDPR Recital 1 Data protection as a fundamental right. See also written evidence from the Information Commissioner to the Joint Committee on Human Rights HRB0054
20 Q1570
22 Qq1595–1597
24 Q1630. Section 2 Data Protection Act 2018 requires “personal data to be processed lawfully and fairly, on the basis of the data subject’s consent”. Article 8 (2) of the Charter reads “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned”.
25 Q1581
26 Qq521–522
27 Max Schrems was an Austrian law student who challenged the transfer of his data to the US by Facebook, which is incorporated in Ireland. The first Schrems case led the CJEU to invalidate the Safe Harbour arrangement.
28 Qq1578–1579
29 House of Lords EU Committee Report, Third Report of 2017–19, Brexit: the EU Data Protection Package, HL 7
31 Qq1590–1591
Published: 3 July 2018