On 19 February, the European Commission published two draft data adequacy decisions regarding transfers of personal data to the UK. The draft decisions declare UK data protection standards as “essentially equivalent” to those applying in the EU under GDPR and the Law Enforcement Directive. If formally adopted, these decisions would allow the continued free flow of personal data from EU member states to the UK. The adoption process also requires an opinion from the European Data Protection Board (EDPB) and approval from the Member States before the Commission can finally approve it. On 16 April, the EDPB published its opinions on the Commission’s draft decisions.
In this article, we will take a look at Opinion 14/2021, which covers the Commission’s draft decision on the adequate protection of personal data in the UK under GDPR. The second opinion, Opinion 15/2021, covers the adequate protection of personal data under the Law Enforcement Directive.
The EDPB states that the UK data adequacy assessment is a unique one, as the UK is a former EU Member State. The draft decision is also unique in that it is the first such decision to include a sunset clause, setting a time limit where the decision will expire and will need to be reviewed and renewed.
The EDPB acknowledges that there are many areas of convergence between EU and UK data protection frameworks, but several areas of challenge remain (as further detailed below). The EDPB therefore invites the Commission to address the various challenges raised in Opinion 14/2021. It also urges the Commission to closely monitor ongoing developments in the UK’s data protection legal framework and to take swift action where needed (including amending and/or suspending the adequacy decision if necessary).
Areas of convergence
The EDPB stresses that it does not expect the UK legal framework on data protection to replicate European data protection law. Instead, it needs to be aligned with the essence of the GDPR’s fundamental principles, so that the level of protection is “essentially equivalent”. The EDPB picks out a number of aspects of the UK’s regime as meeting this standard:
- The UK’s data protection framework is largely based on the EU data protection framework because the UK was an EU Member State until 31 January 2020.
- The Data Protection Act 2018 specifies the application of the GDPR in UK law; transposes the EU’s Law Enforcement Directive, and grants powers and imposes duties on the Information Commissioner’s Office (ICO) as the national data protection supervisory authority.
- There is a strong alignment between the GDPR framework and the UK framework on certain core provisions, including concepts such as “personal data”, “processing of personal data” and “data controller”; grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; direct marketing; automated decision making and profiling.
Opinion 14/2021 picks out several areas that the EDPB feels need to be further assessed to ensure that an essentially equivalent level of protection is met. These challenging areas will need to be carefully monitored in the UK by the European Commission going forward.
Possible future divergence
The EPDB acknowledges that the UK Government has indicated its intention to develop separate and independent policies on data protection. Although these political declarations have not yet materialised in the UK legal framework, there is a possibility that the UK regime will diverge from the standards of EU data protection law in the future. This in turn might create risks for the maintenance of the level of protection provided to personal data transferred from the EU.
The EPDB has therefore invited the Commission to closely monitor such evolutions in the UK’s regime after its adequacy decision comes into force. The EDPB urges the Commission to amend or suspend the adequacy decision as necessary if the UK framework diverges from EU standards in the future.
Paragraph 4 of Part 1 in Schedule 2 to the Data Protection Act 2018 allows the authorities to suspend certain data protection rights where applying those rights would ‘prejudice the maintenance of effective immigration control’. The EDPB is concerned that this provision (known as the ‘immigration exemption’) is broadly formulated. The case of Open Rights Group & Anor, R (On the Application Of) v Secretary of State for the Home Department & Anor  EWHC 2562 (Admin) is a challenge to the legality of the immigration exemption and is currently being appealed in the English courts. The EDPB urges the Commission to keep track of the results of the appeal judgment in this case, and to update its adequacy decision if necessary to account for the outcome.
The EDPB also calls on the Commission to update its draft adequacy decision to provide further information on the immigration exemption, in particular looking at whether such a broad exemption is necessary and proportionate. The Commission should also explore whether there are any additional safeguards already existing or which could be implemented in the UK legal framework to allow a better assessment of the necessity and proportionality of the exemption (e.g. legally binding instruments to complement the exemption by enhancing its foreseeability and safeguards for the data subjects).
Article 44 GDPR provides that transfers and onwards transfers of personal data are permitted only if the level of protection guaranteed by the GDPR is not undermined. This means that as well as UK legislation being “essentially equivalent” to EU standards of data protection, the UK’s rules regarding the onward transfer of personal data to third countries must ensure that an essentially equivalent level of protection will continue to be provided. The EDPB is concerned that third party territories who the UK decides to transfer data to in the future might not have an “essentially equivalent” level of protection to that guaranteed in the EEA, especially if the UK data protection framework diverges from EU standards in the future.
The EDPB therefore asks the Commission to closely monitor this situation and, if the essentially equivalent level of protection of data transferred from the EEA is not maintained as a result of onward transfers, then the Commission should amend or suspend its adequacy decision accordingly. As part of this role, the Commission will need to take account of any future international agreements between the UK and third countries which would cover the onward transfer of EEA personal data.
The Commission should pay particular attention to the UK-US CLOUD Act Agreement, which allows access to electronic data for the purpose of countering serious crime. In particular, the Commission should look at whether the Agreement ensures appropriate additional data protection safeguards taking into account the sensitivity of the categories of data concerned, and the fact that under the Agreement electronic evidence can be transferred directly by service providers rather than between authorities. The Commission should consider to what extent safeguards can be provided by an appropriate implementation of the EU-US Umbrella Agreement on the protection of personal information regarding the prevention, investigation, detection, and prosecution of criminal offences.
In the wake of the Court of Justice of the European’s judgment in the Schrems II case, the EDPB also asks to Commission to update its draft adequacy decision to provide reassurances that necessary safeguards will be effectively put in place to safeguard EEA data which is transferred on to a third country, and that those safeguards will take into account the legislation of the receiving third country.
Article 48 GDPR
UK data protection legislation lacks the protections provided in Article 48 GDPR, which provides that third country judgments requiring the transfer or disclosure of personal data are only enforceable if based on an international agreement between the third country and the EU or a Member State. The EDPB has therefore asked the Commission to provide further reassurances and specific references to the UK legislation to ensure the level of protection in this area is essentially equivalent.
Access to data by public authorities
The EDPB notes that the UK has made significant changes in its legal framework on the interception and acquisition of communication data by security and intelligence agencies after the Court of Justice of the European Union (CJEU) and European Court of Human Rights (ECtHR) both ruled that bulk data collection by national authorities is illegal. In particular, the EDPB welcomes the introduction of the Investigatory Powers Tribunal and the role of Judicial Commissioners to oversee the use of surveillance measures under the Investigatory Powers Act 2016.
However, the EDPB feels that further information is needed to determine the effectiveness of these additional levels of oversight. It therefore asks the Commission to demonstrate that the UK legal framework provides appropriate safeguards in this area to protect EEA personal data transferred to the UK (e.g. through ex post oversight and redress possibilities for individuals whose data has been intercepted).
In addition, the EDPB feels that further assessment is needed to clarify what safeguards are in place to protect the fundamental rights of individuals whose data is intercepted via bulk data collection, and to ascertain to what extent the UK’s activities in this sphere fall within the threshold set by the CJEU and ECtHR in the above cases. The EDPB would like to see an independent assessment from competent UK oversight authorities on this topic.
Similarly, the EDPB asks the Commission to undertake a further assessment of the use of automatic processing tools by the UK authorities and to see what safeguards are in place to protect EEA data in this respect. The EDPB stresses that the Commission will need to closely monitor developments in this field, including on the application of national security exemptions in data disclosures to third countries and the conclusion of data sharing agreements with third countries for the purpose of intelligence cooperation.