EU declares UK “adequate” but GDPR gold standard difficult to reach

The European Commission announced on 19th February (too late for inclusion in this 34th Anniversary edition) that it had declared the United Kingdom “adequate” for the transfer of personal data from the European Economic Area to the UK under the GDPR.

The European Commission’s analysis reaches the conclusion that the UK “ensures an essentially equivalent level of protection to the one guaranteed under the GDPR.” But final approval requires a non-binding opinion from the European Data Protection Board followed by a binding opinion of the Member States under the “comitology” procedure.

The perspective is different on each side. For the UK government, such a declaration was inevitable and it claimed that it could not understand the delay, as until 31st December 2020, the UK’s Data Protection Act, its implementation of the GDPR, was deemed to be entirely adequate, the same as all the other Member States’ national laws implementing the GDPR.

From the European Commission’s perspective, it needed to show that its review of the UK’s law was rigorous, a serious effort, not a superficial exercise. The thorough analysis takes 88 pages for the UK’s implementation of the GDPR and 51 pages for the UK’s implementation of the Law Enforcement Directive. Its review of the UK’s Data Protection Act 2018 quite rightly covers not only the law itself but also the oversight of the Information Commissioner’s Office, the Information Tribunal and criminal law enforcement. For example, the report states that there are “several oversight bodies in the area of criminal law enforcement with specific mandates relevant for data protection issues.” This includes for instance the Biometrics Commissioner and the Surveillance Camera Commissioner and also covers Parliamentary oversight. (Recital 161)

In an outreach effort to sustain goodwill, Věra Jourová, European Commission Vice-President for Values and Transparency, said: “The UK has left the EU, but not the European privacy family.”

Bringing other countries into the GDPR orbit by seeking EU adequacy

While this review of the UK data protection law is a model of thoroughness, such efforts to shine this powerful light on several other countries which seek such approval will be very time consuming. Inevitably, the extent of a country’s trading relationship with the European Economic Area countries will provide a context for the effort, cost and time which might be spent on these exercises.

The proximity and value of the mutual trading relationship was taken into account in previous adequacy declarations in relation to the European Community (EC) Data Protection Directive for Switzerland in 2000 and New Zealand in 2012. Political factors may well have been relevant in the case of Argentina in 2003 and indeed in the case of the original EC-US Safe Harbor agreement in October 2000. Privacy Laws & Business provided consultancy to the European Commission on all of these and several other adequacy assessments.

In the case of Japan, where the mutual adequacy declaration with the GDPR was as recent as January 2019, and influenced heavily by trade considerations, further legislative steps have followed this decision. Indeed, earlier this month Professor Hiroshi Miyashita, Chuo University, informed me that on 9th February, Japan’s government published a draft bill of a new data protection law to establish a ‘Digital Agency’, to integrate private and public sector laws. It will result in the Personal Information Protection Commission supervising both sectors. Other amendments in 2020 have already brought Japan’s law closer to that of the EU.

In all cases, an applicant country’s constitution or equivalent and the overall regulatory framework and judicial system are studied by the European Commission as part of the adequacy review process.

While the GDPR is widely recognised as “the gold standard” and dominant in its influence around the world, the inevitable need to adapt the GDPR principles to national cultures and political and legal contexts will require a certain flexibility from Brussels. Potential “adequate” countries are as diverse as:

  • Brazil with a Data Protection Authority appointed only recently
  • India with a bill, still stuck in Congress, to create a Data Protection Authority and to modernise standards
  • South Africa with a right to privacy in the constitution, an Information Regulator but with the law not fully in force until July 2021
  • Bermuda where the new Privacy Commissioner sees his role as helping the government in its effort towards GDPR adequacy
  • Mauritius which has applied for adequacy, and
  • South Korea where adequacy talks are ongoing.

For some countries, signing and ratifying the Council of Europe Convention 108+ presents an attractive alternative (p.3). Our tables of 145 laws and 23 bills, compiled by Professor Graham Greenleaf give you an unrivalled comprehensive overview.

Look out for the March edition of Privacy Laws & Business United Kingdom Report which will feature an article by John Whittingdale MP, Minister of State for Media and Data about the UK’s position and aspirations in the international data protection field.


Stewart Dresner, Publisher


International Report 169

Lead stories:

Global data privacy laws 2021: Despite Covid delays, 145 laws show GDPR dominance

During 2019-20, the number of countries that have enacted data privacy laws rose from 132 to 145. Graham Greenleaf analyses the trends.

Canada’s new Consumer Privacy Protection Act: Will it be ‘adequate’?

Colin Bennett from the University of Victoria discusses aspects of the Bill that may be significant for an EU adequacy assessment.

Click for full contents list