During its 48th plenary session, the European Data Protection Board (EDPB) has adopted two opinions on the European Commission’s draft U.K. adequacy decision.
The GDPR imposes restrictions on the transfer of personal data to a ‘third country’ unless that country benefits from (i) an adequacy decision; (ii) appropriate safeguards (e.g. standard contractual clauses (SCCs)); or (iii) one of the limited exceptions under Article 49 GDPR. At the end of the Brexit Transition Period, the UK and the EU agreed the Trade and Cooperation Agreement, which included provisions allowing personal data to be transferred from the EU to the UK for a period of up to six months from 1 January 2021 without the need for any additional safeguards such as SCCs. This ‘bridging’ period was implemented to allow the EU time needed to adopt a formal adequacy decision which will allow the continuing flow of personal data to the UK from the EU.
On 19 February 2021, the European Commission issued its draft Decision concluding that the UK ensures an adequate level of protection for personal data transferred from the EU to the UK. Following this, on 14 April 2021, the EDPB adopted two Opinions on the draft UK adequacy decisions: (i) Opinion 14/2021 for transfers of personal data under the EU General Data Protection Regulation (EU GDPR); and (ii) Opinion 15/2021 for transfers of personal data under the Law Enforcement Directive (LED).
The EDPB concludes in its Opinions that there is a “strong alignment” between the GDPR framework and the UK legal framework on certain core provisions such as, for example, concepts (e.g., “personal data”; “processing of personal data”; “data controller”); grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; direct marketing; automated decision making and profiling. This is unsurprising, given that the UK data protection framework is largely based on the EU data protection framework. In addition, the EDPB notes that the UK Data Protection Act 2018 further specifies the application of the GDPR and LED in UK law as well as granting powers and imposing duties on the UK Information Commissioner’s Office (“ICO”). Therefore the EDPB concludes that the UK has mirrored, for the most part, the GDPR/LED in its data protection framework.
EDPB areas of concern for EU Commission consideration
Although the EDPB has identified many aspects of the UK data protection framework to be essentially equivalent to the EU framework, the EDPB concludes that challenges remain, including the following items, which the EDPB considers should be further assessed and monitored by the European Commission:
1. UK’s potential divergence from EU data protection law – the EDPB highlights the potential for the UK Government to develop separate and independent policies in data protection which might diverge from those in the EU. The EDPB recommends that the EU Commission closely monitor any divergence and take necessary actions including by amending and/or suspending any adequacy decision if necessary.
2. UK’s “immigration exemption” – the EDPB concludes that the ‘immigration exemption’ set out in Schedule 2 to the Data Protection Act 2018, which exempts controllers involved with immigration-related activities from complying with certain obligations under the GDPR, is too “broadly formulated”; and calls on the European Commission to provide further information on the necessity and proportionality of such a broad exemption in UK law.
3. Onward transfers – the EDPB concludes that certain aspects of the UK legal framework with regard to onward transfers might undermine the level of protection of personal data transferred from the EEA, on the basis of, for instance, future adequacy decisions adopted by the UK, international agreements concluded between the UK and third countries or derogations.
4. Access by public authorities to data transferred to the UK – the EDPB concludes that the European Commission should assess and closely monitor access by UK public authorities for national security purposes to personal data transferred to the UK. In particular, the EDPB identifies the following points that it considers need further clarifications and/or monitoring:
- Bulk interceptions;
- Independent assessment and oversight of the use of automated processing tools;
- Safeguards provided under UK law when it comes to overseas disclosure, in particular in light of the application of national security exemptions; and
- other forms of information sharing and disclosures, on the basis of other instruments, in particular the various international agreements concluded by the UK with other third countries, especially where these instruments remain inaccessible to the public.
The EDPB does however note the introduction of new concepts in this area, such as the establishment of the Investigatory Powers Tribunal to address the challenges of redress in the area of national security, and the introduction of Judicial Commissioners in the Investigatory Powers Act (IPA) 2016 to ensure better oversight.
The European Commission will now seek approval on the UK adequacy decision from representatives from each EU Member State and will then adopt a final decision regarding the adequacy decisions. In addition, the EDPB opinions will also be presented to the European Parliament LIBE committee (which issued its own (non -binding) Opinion in February 2021 concluding that the UK should not be granted an adequacy decision).
Although the EDPB and European Parliament LIBE committee opinions form an important part of the consultation process, it is for the EU Commission to ultimately make the final decision regarding UK adequacy. The European Commission has indicated that it expects to have approval from the EU Member States, and make the final adequacy decision, before the six-month bridging period ends in June. Once adopted, the adequacy decisions would be valid for a period of four years, after which the adequacy decisions will be reviewed. Given the concerns raised in the EDPB opinions, it is likely that the U.K. adequacy decision will be subject to regular review and monitoring by the European Commission (which no other country assessment currently receives), with the “spotlight” placed firmly on the U.K. as the U.K. starts to make its own adequacy decisions and develop its data protection framework.
For further information, please get in touch with your usual DLA Piper contact.