The European Commission published on February 19, 2021 its draft decision granting data protection adequacy status to the UK under Article 45(3) of the GDPR. Once published, the European Commission submitted the draft decision to the European Data Protection Board for its review, which has just issued two opinions:
- Opinion 14/2021 is based on the GDPR and assesses both general data protection aspects and government access to personal data transferred from the EEA to the UK for the purposes of law enforcement and national security, including the legal remedies available to individuals in the EEA. The EDPB also assesses whether the safeguards provided under the UK legal framework are in place and effective.
- Opinion 15/2021 is based on the Law Enforcement Directive and analyzes the draft adequacy decision in light of Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive, as well as the relevant case law reflected in Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.
What is the good news?
Overall, the EDPB considers that the UK legal framework is strongly aligned with the GDPR and the LED, in the sense that it is largely based on the EU data protection framework, since the UK was a Member State of the EU up until January 31, 2020. The EDPB recognizes that the UK GDPR and the Data Protection Act 2018 have mirrored in some parts the main provisions of the GDPR and notes that the main areas of alignment between the UK and the EU legal frameworks would be the following:
- concepts (e.g., “personal data,” “processing of personal data,” “data controller”)
- grounds for lawful and fair processing for legitimate purposes
- purpose limitation
- data quality and proportionality
- data retention
- security and confidentiality
- special categories of data
- direct marketing
- automated decision making and profiling
Is it all good news, or are there any areas of concern for the European Data Protection Board?
The EDPB expresses its overall concern that, due to the fact the UK is no longer a member of the EU, any further development in the UK legal framework and practice may create deviations in the future from the EU legal framework. Consequently, it welcomes the sunset clause included by the European Commission in the draft adequacy decision.
In addition, the EDPB invites the European Commission to continuously monitor closely any further developments in this area to ensure that the UK legal framework stays aligned with the EU framework in the future and flags some specific areas that need further assessment or monitoring by the European Commission, such as:
- The “immigration exemption” (Schedule 2 to the UK Data Protection Act 2018, Part 1, paragraph 4) that restricts the rights to be informed, rights of access, erasure and object, and the right to restrict processing and is currently being challenged in the UK Courts
- The onward transfers of EEA data from the UK to third countries. The main concerns of the EDPB in this area are related to:
- the adequacy assessment process by UK authorities regarding other third countries not recognized as adequate under the GDPR by the EU
- the upcoming review of the already existing adequacy decisions rendered by the European Commission
- the reassurance that data exporters in the UK will carry out the necessary transfer assessments and will implement supplementary measures, where necessary, following the Schrems II case
- the international agreements concluded, or to be concluded, by the UK and the possible access by authorities from third countries to personal data from the EEA (it pays special attention to the UK-US CLOUD Act Agreement and its interplay with the EU-US Umbrella Agreement)
- the future interpretation on the use of derogations by the UK
- the absence of protections provided under Article 48 GDPR in the UK legal framework
In addition to the above, the EDPB also extensively analyzes the access to personal data by public authorities and the interception of communications under the UK Investigatory Powers Act 2016. It also invites the European Commission to monitor the effectiveness of sanctions and relevant remedies in the UK legal framework, the allocation of resources to the ICO, and the level of support the ICO provides to individuals whose personal data have been transferred to the UK under the adequacy decision in order to help them exercise their rights.
What are the next steps?
Adopting an adequacy decision is a four-step process. With the EDPB’s opinions, step 2 has been completed, and we are much closer to the final adoption of an adequacy decision by the European Commission. Now, the European Commission will need the approval from representatives from each EU Member State before being able to adopt the final decision.