In the wake of Brexit the UK has needed to establish a new arrangement with the European Union on the security and handling of personal data transferred from within the European Economic Area (EEA) to the UK. The European Union’s data protection authorities have been reviewing the European Commission’s (EC) draft adequacy decision on this.
The European Data Protection Board (EDPB) has indicated its broad approval of the current protection frameworks, which is unsurprising given that the data protection regime here in the UK is still modeled exactly on those European frameworks, principally the General Data Protection Regulation (GDPR), which applied when the UK was still a member of the EU. It has cited core provisions such as grounds for lawful and fair processing of data for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; and others as being in alignment. At the same time, however, EDPB Chair Andrea Jelinek has urged the EC to monitor things in the UK closely.
Data protection in the UK is governed now by The UK Data Protection Act 2018, which enshrined into UK law the GDPR together with the Law Enforcement Directive (LED) and gave enforcement power to the Information Commissioner’s Office (ICO). In all respects here the EDPB has recognized current equivalence as a suitable basis to approve the EU’s granting adequacy to the UK, but Jelinek sounded a note of caution with addressing the European Parliament’s Committee for Civil Liberties, Justice and Home Affairs (LIBE), pointing out that the UK may diverge from the EU in the future and the EU would need, in such instances, to be ready to act if necessary, possibly by suspending the adequacy decision. Having said that, she did then express hope that ‘whilst laws can evolve, this alignment should be maintained.’
Whatever happens, the draft adequacy decision has a sunset clause built into it, meaning that it expires after four years.
The EDPB has specified certain items for close monitoring by the EC. These were predictable points of friction. In the matter of onward transfers of data, the Board will continue to monitor UK adequacy decisions with third countries as they may have consequences for data transferred to the UK from within the EEA. The Immigration Exemption has consequences for data subject rights, and the Commission has been asked to further analyse this situation and, if necessary, update the adequacy decision. Finally there is the question of mass surveillance to be considered. Jelinek, in her remarks, also mentioned the UK-US Cloud Agreement, where the issue is transferring data between service providers rather than authorities.
Perhaps not surprisingly, MEPs were not unanimous in their approval for the current approach to this issue. Some raised concerns, dismissed by Jelinek, that the Commission had put pressure on the EDPB. This follows claims reported by Politico, but Jelinek insisted that the draft decision had been adopted in the normal way. There was also concern among some members that the issues raised would be better resolved now than down the line, but these voices were not sufficiently numerous to prompt a rethink.
This approval of the draft adequacy decision is welcome since, whilst the opinion of the EDPB is not binding, it is difficult to foresee what further hurdles remain before the Commission issues its final decision. Whilst we don’t know exact timings, we fully expect this to happen prior to the end of June 2021 which is when the temporary bridging arrangement under the EU-UK Trade Agreement comes to an end.
For more information on the relevant areas mentioned in this case study, please click below: