Adequacy Decisions under the UK GDPR and Data Protection Act 2018
In January 2021, the UK Information Commissioner’s Office (ICO) and the Department of Culture, Media and Sport (DCMS), under which the ICO sits, signed a joint Memorandum of Understanding (MOU) detailing the process to be followed when the Secretary of State makes a decision regarding the adequacy of third countries.
The MOU details an agreed understanding between the parties on the role and responsibilities of the ICO in relation to UK adequacy assessments. This includes the status of the views of the ICO, and the respective roles and responsibilities of the DCMS and ICO in adequacy decision-making by the Secretary of State.
Adequacy decisions are made by the Secretary of State under section 17A (general processing) or section 74A (law enforcement processing) of the UK Data Protection Act 2018 (DPA). These decisions give effect to a finding by the Secretary of State that the specified country ensures an ‘adequate’ level of protection of personal data. In the same way that EU adequacy decisions work, the effect of UK adequacy decisions is to permit personal data to flow from the UK to a country specified in the regulations without any further safeguards (such as the parties involved executing the standard contractual clauses). Currently, the UK has adopted the adequacy decisions of the European Commission in force at the end of the Brexit transition period on 31 December 2020. These decisions apply in relation to the following countries:
- Canada (commercial organisations)
- Faroe Islands
- Isle of Man
- New Zealand
In addition, the UK has stated that it deems the EU as a jurisdiction which has a finding of adequacy. The EU is currently considering the UK’s status as an adequate jurisdiction, with a decision expected this year. The European Commission has proposed to issue the UK with an adequacy decision, and has published a draft decision to this effect, but this still needs to be formally approved by representatives of EU member state governments.
Under the DPA, decisions relating to the making, review, amendment and revocation of UK adequacy decisions are, ultimately, a matter for the Secretary of State. However, prior to making a decision, the Secretary of State is required under the DPA (section 182(2)) to consult the ICO and such other persons as the Secretary of State considers appropriate. This also reflects the requirement, in Article 36(4) of the UK GDPR, for the Secretary of State to consult the ICO in these circumstances. The Secretary of State is not obliged to follow the ICO’s views, but rather to consider these when reaching a decision.
The MOU sets out, in a useful table, the roles of each of the parties in the decision-making process. Four broad phases are identified in the process of making an adequacy decision:
- Gatekeeping: this is the programme of work associated with making a decision as to whether to commence an assessment in respect of a country, by reference to numerous policy factors reflecting Government and UK interests.
- Assessment: this refers to the programme of work associated with collecting and analysing information relating to the level of data protection in another country.
- Recommendation: the programme of work associated with the DCMS’ UK Adequacy Assessment team making a recommendation to the Secretary of State who will then decide whether to make a finding of adequacy in respect of another country.
- Procedural: the work associated with making the relevant UK adequacy regulations, laying these before Parliament, and any subsequent publication of the ICO’s opinion.
The ICO’s role in the process includes:
- providing comments and advice to DCMS officials to allow the Commissioner’s view to be included in the recommendation to the Secretary of State and factored into the decision making.
- providing advice and/or an opinion to Parliament, including on the process followed and the factors taken into consideration by the DCMS Adequacy Assessment team and the Secretary of State.
This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.