Transcription of (Text with EEA relevance)
1 EN EN EUROPEAN COMMISSION Brussels, C(2021) 4800 final COMMISSION IMPLEMENTING DECISION of pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (Text with EEA relevance) EN 1 EN COMMISSION IMPLEMENTING DECISION of pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (Text with EEA relevance) THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data , and repealing Directive 95/46/EC (General data Protection Regulation)1 , and in particular Article 45(3) thereof, Whereas: 1.
2 INTRODUCTION (1) Regulation (EU) 2016/679 sets out the rules for the transfer of personal data from controllers or processors in the European Union to third countries and international organisations to the extent that such transfers fall within its scope of application. The rules on international data transfers are laid down in Chapter V of that Regulation, that is in Articles 44 to 50. While the flow of personal data to and from countries outside the European Union is essential for the expansion of international cooperation and cross-border trade, the level of protection afforded to personal data in the European Union must not be undermined by transfers to third countries2.
3 (2) Pursuant to Article 45(3) of Regulation (EU) 2016/679, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensure(s) an adequate level of protection. Under this condition, transfers of personal data to a third country may take place without the need to obtain any further authorisation, as provided for in Article 45(1) and recital 103 of that Regulation. (3) As specified in Article 45(2) of Regulation (EU) 2016/679, the adoption of an adequacy decision has to be based on a comprehensive analysis of the third country's legal order, covering both the rules applicable to the data importers and the limitations and safeguards as regards access to personal data by public authorities.
4 In its assessment, the Commission has to determine whether the third country in question guarantees a level of protection essentially equivalent to that ensured within the European Union (recital 104 of Regulation (EU) 2016/679). The standard against which the essential equivalence is assessed is that set by European Union legislation, notably Regulation (EU) 2016/679, as well as the case law of the Court of 1 OJ L 119, , page 1. 2 See recital 101 of Regulation (EU) 2016/679.
5 EN 2 EN Justice of the European Union3. The European data Protection Board s (EDPB) adequacy referential is also of significance in this regard4. (4) As clarified by the Court of Justice of the European Union, this does not require finding an identical level of protection5. In particular, the means to which the third country in question has recourse for protecting personal data may differ from the ones employed in the European Union, as long as they prove, in practice, effective for ensuring an adequate level of protection6.
6 The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test lies in whether, through the substance of data protection rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection7. (5) The Commission has carefully analysed the law and practice of the United Kingdom. Based on the findings developed in recitals (8) to (270), the Commission concludes that the United Kingdom ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom.
7 (6) This conclusion does not concern personal data transferred for United Kingdom immigration control purposes or which otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control (the immigration exemption ) pursuant to paragraph 4(1) of Schedule 2 to the UK data Protection Act. The validity and interpretation of the immigration exemption under UK law is not settled following a decision of the England and Wales Court of Appeal of 26 May 2021.
8 While recognising that data subject rights can, in principle, be restricted for immigration control purposes as an important aspect of the public interest , the Court of Appeal has found that the immigration exemption is, in its current form, incompatible with UK law, as the legislative measure lacks specific provisions setting out the safeguards listed in Article 23(2) of the United Kingdom General data Protection Regulation (UK GDPR)8. In these conditions, transfers of personal data from the Union to the United Kingdom to which the immigration exemption can be applied should be excluded from the scope 3 See, most recently, Case C-311/18, Facebook Ireland and Schrems ( Schrems II ) ECLI:EU:C:2020:559.
9 4 European data Protection Board, Adequacy Referential, WP 254 rev. at the following link: 5 Case C-362/14, Schrems ( Schrems I ), ECLI:EU:C:2015:650, paragraph 73. 6 Schrems I, paragraph 74. 7 See Communication from the Commission to the European Parliament and the Council, Exchanging and Protecting personal data in a Globalised World, COM(2017)7 of , section , pages 6-7, available at the following link: :52017DC0007&from=EN. 8 Court of Appeal (Civil Division), Open Rights Group v Secretary of State for the Home Department and Secretary of State for Digital, Culture, Media and Sport, [2021] EWCA Civ 800, paragraphs 53 to 56.
10 The Court of Appeal reversed the High Court of Justice s decision that had previously assessed the exemption in light of Regulation (EU) 2016/679 (in particular, its Article 23) and the Charter of Fundamental Rights of the European Union and found the exemption to be lawful (Open Rights Group & Anor, R (On the Application Of) v Secretary of State for the Home Department & Anor [2019] EWHC 2562). EN 3 EN of this Decision9. Once the incompatibility with UK law is remedied, the immigration exemption should be reassessed, as well as the need to maintain the limitation of the scope of this Decision.
