.svg)
Everyone has heard of the European Union's "equivalence" regime which allows various countries to trade with it freely in certain financial areas, but few have heard of the "adequacy" regime that it applies to data protection. How quickly can it remove a country from its list of "adequate" partners? How quickly can the UK remove the EU from its own list?
The General Data Protection Regulation (GDPR) states that the European Commission must determine whether a country guarantees a level of protection for personal data that is “essentially equivalent” to that ensured within the EU.
The European Commission describes the process best: "Consequently, a commission adequacy decision adopted pursuant to Article 45(3) of Regulation (EU) 2016/679 is binding on all organs of the member states to which it is addressed, including their independent supervisory authorities. In particular, during the period of application of this decision, transfers from a controller or processor in the European Union to controllers or processors in the United Kingdom may take place without the need to obtain any further authorisation."
The "adequacy decision" that the commission has made in the UK's favour is for a four-year period. The commission, however, does reserve the right to reverse this decision if it believes that the UK is no longer complying with the GDPR well enough.
Note 284 states: "Where available information, in particular information resulting from the monitoring of this decision or provided by United Kingdom or member states’ authorities, reveals that the level of protection afforded by the United Kingdom may no longer be adequate, the commission should promptly inform the competent United Kingdom authorities thereof and request that appropriate measures be taken within a specified timeframe, which may not exceed three months. Where necessary, this period may be extended... ."
Note 285 goes on to describe the next step in the process: "The commission will initiate the procedure referred to in Article 93(2) of Regulation (EU) 2016/679 with a view to partially or completely suspend or repeal [sic] this decision."
This makes it sound as though a lengthy three-month process is mandatory, but in fact the EU can "de-list" the UK instantly, according to Note 287.
"On duly justified imperative grounds of urgency, the commission will make use of the possibility to adopt, in accordance with the procedure referred to in Article 93(3) of Regulation (EU) 2016/679, immediately applicable implementing acts suspending, repealing or amending the decision."
What about the UK?
The UK government has the power to make its own "adequacy decisions" in relation to foreign countries (which it calls third countries) and international organisations. In the UK regime, these are now known as "adequacy regulations".
This document states that the phrase “UK Adequacy Regulations” means regulations made by the secretary of state under Section 17A (general processing) or Section 74A (law enforcement processing) of the Data Protection Act 2018, giving effect to a finding by the secretary of state that the specified country ensures an "adequate" level of protection of personal data.
Adequacy regulations are laid in parliament, according to this government document.
Another document throws more light on the subject.
There is a requirement, in Article 36(4) of the UK GDPR, for the secretary of state to consult the Information Commissioner's Office (ICO) in these circumstances.
When asked whether the UK could reverse an "adequacy decision" instantly or not, the ICO told VIXIO: "We're not 100% sure in general. We do believe that it's likely that it will go through parliament. The time is variable, according to parliamentary timetable."
Article 45(7) of the UK GDPR, which has "onshored" the EU's GDPR and enshrined it in UK law, states: "The amendment or revocation of regulations under section 17A of the 2018 Act is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49."
According to the definitions to be found in Article 4(A1), "the 2018 Act" means the Data Protection Act 2018.
Supporting evidence for this comes from the text of that act.
Section 182, regarding regulations and consultation, states: "Regulations under this Act are to be made by statutory instrument. Before making regulations under this Act, the Secretary of State must consult the Commissioner and such other persons as the Secretary of State considers appropriate."
Regulations take several weeks for parliament to pass at the very earliest. They tend to mature in periods such as 45 or even 120 days and typically become law as long as no member of parliament objects to them. The UK, therefore, cannot rescind a country's "adequate" status in the instant manner open to the European Union.
