UK • New Rules • New Perspectives

European Data Protection Board - 48th Plenary Session - Statement: Wednesday, 14 April, 2021

During its plenary session, the EDPB adopted two Opinions on the draft UK adequacy decisions. Opinion 14/2021 is based on the GDPR and assesses both general data protection aspects and government access to personal data transferred from the EEA for the purposes of law enforcement and national security included in the draft adequacy decision. This assessment is based on the GDPR Adequacy Referential WP254. Opinion 15/2021 is based on the Law Enforcement Directive (LED) and analyses the draft adequacy decision in the light of Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive, as well as the relevant case law reflected in Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. This is the first draft implementing decision on a third country’s adequacy under the LED ever presented by the European Commission and assessed by the EDPB.

The EDPB notes that there are key areas of strong alignment between the EU and the UK data protection frameworks on certain core provisions such as: grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling.

EDPB Chair, Andrea Jelinek said: "The UK data protection framework is largely based on the EU data protection framework. The UK Data Protection Act 2018 further specifies the application of the GDPR in UK law, in addition to transposing the LED, as well as granting powers and imposing duties on the national data protection supervisory authority, the ICO. Therefore, the EDPB recognises that the UK has mirrored, for the most part, the GDPR and LED in its data protection framework and when analysing its law and practice, the EDPB identified many aspects to be essentially equivalent. However, whilst laws can evolve, this alignment should be maintained. So we welcome the Commission's decision to limit the granted adequacy in time and the intention to closely monitor developments in the UK.”

The EDPB underlines that several items should be further assessed and/or closely monitored by the European Commission in its decision based on the GDPR, such as:

• Immigration Exemption and its consequences on restrictions on data subject rights;
• The application of restrictions to onward transfers of EEA personal data transferred to the UK, on the basis of, for instance, future adequacy decisions adopted by the UK, international agreements concluded between the UK and third countries, or derogations.

Regarding access by public authorities for national security purposes to personal data transferred to the UK, the EDPB welcomes the establishment of the Investigatory Powers Tribunal (IPT) to address the challenges of redress in the area of national security, and the introduction of Judicial Commissioners in the Investigatory Powers Act (IPA) 2016 to ensure better oversight in that same field. The EDPB still identifies a number of points requiring further clarifications and/or monitoring:

• Bulk interceptions;
• Independent assessment and oversight of the use of automated processing tools;
• Safeguards provided under UK law when it comes to overseas disclosure, in particular in light of the application of national security exemptions.

The Board adopted Guidelines on the application of Article 65(1)(a) GDPR to delineate the main stages of the procedure and clarify the competence of the EDPB when adopting a legally binding decision on the basis of Article 65(1)(a) GDPR. The Guidelines also include a description of the applicable procedural safeguards and remedies. The guidelines will be subject to public consultation for a period of six weeks.

The EDPB adopted a final version of the Guidelines on the targeting of social media users following public consultation. The aim of the Guidelines is to clarify the roles and responsibilities of social media providers and targeted individuals. The final version integrates updated wording in order to address comments and feedback received during the public consultation.

The EDPB adopted a Statement on international agreements including transfers. The EDPB invites EU Member States to assess and, where necessary, review their international agreements that involve international transfers of personal data and which were concluded before 24 May 2016 (for those relevant to the GDPR) and 6 May 2016 (for those relevant to the LED) to align them, where necessary, with EU data protection law.

Note to editors:

Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed. 

The European Commission endorsed its draft implementing decision (hereinafter “draft decision”) on the adequate protection of personal data by the United Kingdom (hereinafter “UK”) pursuant to the LED on 19 February 20212. Following this, the European Commission initiated the procedure for its formal adoption.

On June 1st, the EU Parliament discussed the adequacy decision of data protection in the UK and made the following decision:

The European Commission should amend its draft decision on UK data protection to ensure EU standards for citizens’ privacy are respected. In a resolution passed on Friday (344 votes in favour, 311 against and 28 abstaining), MEPs ask the Commission to modify its draft decisions on whether or not UK data protection is adequate and data can safely be transferred there, bringing them in line with the latest EU court rulings and responding to concerns raised by the European Data Protection Board (EDPB) in its recent opinions. The EDPB considers that UK bulk access practices, onward transfers and its international agreements need to be clarified further. The resolution states that, if the implementing decisions are adopted without changes, national data protection authorities should suspend transfers of personal data to the UK when indiscriminate access to personal data is possible.

Before the vote, MEPs debated the UK adequacy decision and the “Schrems II” resolution on EU-US data flows. Several political groups emphasised the need for strong data rights in Europe and the dangers of mass surveillance, with others arguing that the UK has a high level of data protection, and that adequacy decisions help businesses and facilitate cross-border crime-prevention.

Exemptions for national security and immigration The resolution states that the UK’s basic data protection framework is similar to that of the EU, but raises concerns about its implementation. Notably, the UK regime contains exemptions in the fields of national security and immigration, which now also apply to EU citizens wishing to stay or settle in the UK. Current UK legislation also allows for bulk data to be accessed and retained without a person being under suspicion for perpetrating a crime, and the EU court has found indiscriminate access to be inconsistent with the General Data Protection Regulation (GDPR), warns the text.

Finally, MEPs underline that provisions on metadata (or “secondary data”) do not reflect the sensitive nature of such data and are therefore misleading. Although the Parliament objects to the Commission’s draft implementing acts granting data adequacy decisions for these reasons, MEPs welcome recent legislative changes that provide citizens access to judicial redress on data decisions and detailed oversight reports available for data interception on nation security grounds.

Third countries and onward transfers MEPs also worry about onward data transfers. The UK’s data-sharing agreements with the US mean EU citizens’ data could be shared across the Atlantic, despite recent rulings of the European Court of Justice that found US practices of bulk data access and retention incompatible with GDPR. Also, the UK’s application to join the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) could have implications for data flow to countries that do not have an adequacy decision from the EU.

Parliament urges the Commission and the UK authorities to address all these issues and insists that no adequacy decision should be granted. MEPs specify that no-spying agreements between member states and the UK could help solve matters.

Next steps The Commission is expected to decide on the UK’s data protection and the continuation of data transfers across the Channel in the coming months. Addressing the plenary before the vote, Commissioner for Justice Didier Reynders stressed that the UK’s current legislation is very similar to that of the EU. However, future divergence is possible, and this is why the adequacy decision’s four-year sunset clause is very necessary, he pointed out.

So it is currently in the stars when an adequacy agreement is to be expected. It is to be expected that the transitional period for interim equivalence will pass. After that, the data exchange can probably only be processed on the basis of con  SCC (Standard  Contractual  Clauses). Unless, of the short term, it is decided  to extend the transitional period.

28 June 2021: It almost borders on a miracle: 48 hours before the end of the transition period, the EU Commission has adopted two adequacy decisions on data protection. Here is the wording from the EU-Press Release:

The Commission has today adopted two adequacy decisions for the United Kingdom - one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. The adequacy decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information, for example for cooperation on judicial matters. Both adequacy decisions include strong safeguards in case of future divergence such as a ‘sunset clause', which limits the duration of adequacy to four years. 

Věra Jourová, Vice-President for Values and Transparency, said: “The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today. At the same time, we have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK's privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene”.

Didier Reynders, Commissioner for Justice, said: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”

Key elements of the adequacy decisions

• The UK's data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
• With respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards. In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to what it intends to achieve. Any person who believes they have been the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal. The UK is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is the only binding international treaty in the area of data protection. These international commitments are an essential elements of the legal framework assessed in the two adequacy decisions.
• For the first time, the adequacy decisions include a so-called ‘sunset clause', which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection. During these four years, the Commission will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the Commission decide to renew the adequacy finding, the adoption process would start again.
• Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. The Commission will reassess the need for this exclusion once the situation has been remedied under UK law.

Background

On 19 February, the Commission published two draft adequacy decisions and launched the procedure for their adoption. Over the past months, the Commission has carefully assessed the UK's law and practice on personal data protection, including the rules on access to data by public authorities in the UK. The Commission has been in close contact with the European Data Protection Board, which gave its opinion on 13 April, the European Parliament and the Member States. Following this in-depth process, the European Commission requested the green light on the adequacy decisions from Member States' representatives in the so-called comitology procedure. The adoption of the decisions today, following the agreement from Member States' representatives, is the last step in the procedure. The two adequacy decisions enter into force today.

The EU-UK Trade and Cooperation Agreement (TCA) includes a commitment by the EU and UK to uphold high levels of data protection standards. The TCA also provides that any transfer of data to be carried out in the context of its implementation has to comply with the data protection requirements of the transferring party (for the EU, the requirements of the GDPR and the Law Enforcement Directive). The adoption of the two unilateral and autonomous adequacy decisions is an important element to ensure the proper application and functioning of the TCA. The TCA provides for a conditional interim regime under which data can flow freely from the EU to the UK.  This interim period expires on 30 June 2021.

28 June 2021 Subsequently we publish here the press-reöease of the UK Government:

Conclusion: with these decisions, the EU has created the possibility for companies to continue working in the short to medium term for the foreseeable period of the next 4 years. However, one should be aware that this regulation involves a volatility through which the UK can finally fall into third country status, with the consequences for the loss of equivalence status.