On 19 February, the European Commission published two draft data adequacy decisions regarding transfers of personal data to the UK. The draft decisions declare UK data protection standards as “essentially equivalent” to those applying in the EU under GDPR and the Law Enforcement Directive (LED). If formally adopted, these decisions would allow the continued free flow of personal data from EU Member States to the UK. The adoption process also requires an opinion from the European Data Protection Board (EDPB) and approval from the Member States before the Commission can finally approve it. On 16 April, the EDPB published its opinions on the Commission’s draft decisions.
In this article, we will take a look at Opinion 15/2021, which covers the Commission’s draft decision on the adequate protection of personal data in the UK under the Law Enforcement Directive. The other opinion, Opinion 14/2021, covers the adequate protection of personal data under GDPR.
Opinion 15/2021 states that the EDPB does not expect the UK’s legal framework on data protection to replicate European data protection law. However, to be considered as providing an adequate level of protection, Article 36 of the LED requires the UK’s legislation to be aligned with the essence of the fundamental principles enshrined within the LED.
Areas of alignment
The EDPB acknowledges that the UK’s data protection framework is largely based on the EU’s data protection framework because the UK was an EU Member State until 31 January 2020. The EDPB states that there is strong alignment between the LED framework and the UK legal framework on certain core provisions, including concepts (e.g. “personal data”, “processing of personal data”, “data controller”); grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; automated decision making and profiling. The Law Enforcement Directive is transposed into UK law via Part 3 of the Data Protection Act 2018. The EDPB welcomes the fact that the UK has signed the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Convention 108). The EDPB acknowledges that the UK has adhered to Convention 108, and is currently working on ratifying it.
The EDPB accepts that the provisions under Chapter 5 of Part 3 of the Data Protection Act 2018 do, in principle, provide a level of protection which is essentially equivalent to that offered under EU law regarding transfers of personal data by UK law enforcement authorities to third countries. It also notes the UK’s capacity under its legal framework to recognise third country territories as providing an adequate level of data protection in the context of the UK’s data protection framework. However, the EDPB feels that such onward transfers might threaten the protection of personal data transferred from the EU to the UK, particularly if the UK’s data protection regime diverges from EU standards in the future. In particular, the EDPB draws attention to the UK-US Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime (also known as the UK-US CLOUD Act Agreement), which it feels could affect onward transfers of EU personal data by law enforcement authorities in the UK.
Possible future divergence
The EDPB’s opinion notes that the UK now has autonomy over any future changes to its data protection regime (as it is no longer an EU Member State). In the EDPB’s view this means there is a risk that the UK’s data protection legal framework could significantly diverge from EU standards in the future. It welcomes the Commission’s inclusion of a four year sunset clause in its draft decision for this reason.
LED specific concerns
The LED covers the processing of personal data by national authorities for criminal law enforcement purposes. The EDPB is concerned that the Commission’s decision as currently drafted does not have enough detail on the legal framework applicable to agencies with law enforcement duties other than the police (e.g. the National Crime Agency (NCA) and GCHQ). It also disagrees with the Commission’s assessment that the consent of the data subject is not a relevant factor when analysing data adequacy. The EDPB’s opinion draws attention to the use of national security certificates under s79 of the Data Protection Act 2018, which are used to certify that limitations on the rights enshrined in the Act are a necessary and proportionate measure for the protection of national security. In the EDPB’s view, the Commission’s analysis of the use of these certificates in its adequacy decision could be more comprehensive. In addition, the EDPB notes that Article 11(3) of the LED prohibits profiling that results in discrimination against natural persons on the basis of special categories of personal data. The EDPB’s opinion states that further work is needed to verify whether this prohibition is reflected in UK data protection law.
Oversight and enforcement of the UK regime
The EDPB’s opinion explains that there are a number of Commissioners who are responsible for the oversight of the UK’s criminal law enforcement agencies (including the Investigatory Powers Commissioner, the Commissioner for the Retention and Use of Biometric Material and the Surveillance Camera Commissioner). In the EDPB’s view, the current draft adequacy decision does not do enough to assess the independence of these Commissioners.
Recommendations to the Commission
The EDPB asks the Commission to closely monitor future developments in the UK’s data protection legal framework and to keep watch for any divergence in standards. If it finds that an essentially equivalent level of protection for personal data transferred from the EU to the UK is not being maintained (including through onward transfers), then it should take appropriate action. This might include amending the adequacy decision to introduce specific safeguards to protect data transferred from the EU to the UK, or suspending the adequacy decision altogether.
In this context, the Commission will need to examine the interplay between the UK’s data protection regime and its international commitments (e.g. data sharing agreements with third countries) to assess the level of protection of personal data transferred from the EU to the UK and then sent on to third countries. If an international agreement between the UK and a third country risks undermining the EU’s data protection standards, the Commission should take action. The Commission should also monitor any future agreements the UK makes with third countries for the purposes of law enforcement co-operation that would provide a legal basis for transfer of personal data to these countries. It should especially consider whether the provisions of any such agreement could affect the application of UK data protection law. In addition, it should take account of whether any such agreements could create any limitations or exemptions regarding third countries using or disclosing information originally collected for law enforcement purposes.
The EDPB has asked the Commission to look into whether a mechanism exists for UK law enforcement authorities to inform Member States’ authorities when they conduct further processing or disclosure of personal data that that Member State has transferred to them. The Commission should analyse the effectiveness of any such mechanism within the UK legal framework, and should include its findings in the adequacy decision.
The EDPB also calls on the Commission to extend its analysis of the UK’s data protection framework to take a closer look at law enforcement agencies other than the police, in particular the NCA and GCHQ. It also invites the Commission to consider the possible use of the consent of the data subject in a law enforcement context in its UK adequacy decision, and to consider this matter as a rule when making adequacy assessments under the LED in the future.
The Commission should update its draft adequacy decision with a deeper analysis of the use of national security certificates under the Data Protection Act 2018. It should likewise make an explicit statement of its findings in relation to the use of profiling (as prohibited by Article 11(3) LED), and should closely monitor any future cases related to the use of automatic decision making and profiling in the UK. Finally, the Commission should expand its draft adequacy decision with a deeper assessment of the independence of the Commissioners who oversee the UK’s criminal law enforcement agencies.