The EDPB Opinion on the EC Draft Adequacy Decision for the UK

During its 48th plenary session, the European Data Protection Board (EDPB) adopted two opinions on the European Commission’s (EC) draft UK adequacy decision published on 19 Feb. In the normal adoption process, the EC requested the opinion of the EDPB who then issued two opinions on 13 April 2021.

The General Data Protection Regulation places restrictions on the transfer of personal data to a ‘third country’ unless there is (1) an adequacy decision; (2) appropriate safeguards (i.e., standard contractual clauses); (3) or Article 49 Derogations. At the end of the Brexit Transition Period, the UK and EU agreed to the Trade and Cooperation Agreement, which included a provision allowing the transfer of personal data from the EU to the UK for a period of up to six months without the need for additional safeguards supplying the EU with additional time to adopt a formal adequacy decision.

Strong Alignment

For a country to get an adequacy determination, the third country’s legislation “must be aligned with the essence of the fundamental principles enshrined in the GDPR.” The EDPB concluded in its Opinions that there is “strong alignment” between the GDPR framework and the UK framework. The EDPB noted that the UK data protection framework is largely based on the EU data protection framework having enacted the Data Protection Act 2018 which specifies the application of the GDPR in addition to EU Law Enforcement Directive in UK law as well as the creation of a national supervisory authority, the Information Commissioner’s Office.

The EDPB noted that this will be the first adequacy decision with a sunset clause that will require review of the adequacy decision after four years.

The relevant legal framework applicable in the UK after the end of the transition period consists of:

  • The United Kingdom General Data Protection Regulation (hereinafter “UK GDPR”), as incorporated into the law of the UK under the European Union (Withdrawal) Act 2018, as amended by the DPPEC (Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit)) Regulations 2019;
  • The Data Protection Act 2018 (hereinafter “DPA 2018”), as amended by the DPPEC Regulations 2019, and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020; and
  • The Investigatory Powers Act 2016.
  • (together “the UK Data Protection Framework”).

The EDPB noted with approval that the UK is a party to Convention 108 and 108+ which is The Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, a 1981 Council of Europe treaty that protects the right to privacy of individuals.

EDPB Areas of Concern Presented by the UK Data Protection and Privacy Laws

1. Evolution of the UK Legal System on Data Protection:

The UK gov. has indicated its intention to develop separate independent policies on data protection, which may then lead to a divergence from EU data protection law. In addition, the UK is no longer bound by the Court of Justice for the European Union’s case law.

2. UK’s Immigration Exemption:

The EDPB concluded the ‘immigration exemption’ is too “broadly” formulated as it allows personal data that was not collected for the purpose of immigration control to be processed for this purpose. The EDPB requested that the EC provide further info on the immigration exemption and decide if it meets the necessity and proportionality requirements. The ‘immigration exemption’ is laid out in Schedule 2 to the Data Protection Act 2018, which allows controllers involved in “immigration control” exemption from the application of certain data subjects. It applies to the following rights: right to be informed; right of access; right to erasure; right to restrict processing; and right to object. The EDPB argued that this goes beyond what may be allowed considering Article 7 and 8 of the EU Charter.

3. Onward Transfers:

The EDPB concluded that onward transfers“might undermine the level of protection of personal data transferred from the EEA.” In particular, the UK Secretary of State now has the power to recognise a third country (or a territory or a sector within a third country), an international organisation, or a description of such a country, territory, sector, or organisation as ensuring an adequate level of protection of personal data and provide for onward transfers from the UK without additional safeguards.

This creates the situation that the UK could adopt adequacy decisions for countries even if the EU has not and will not. The EDPB recommended the EC amend the “adequacy decision to introduce specific safeguards for data transferred from the EEA and/or suspend the adequacy decision.” This would take into account international agreements between the UK and third countries and the EDPB specifically mentioned the US and the UK-US CLOUD Act Agreement was as well as requesting the EC continue to monitor the agreement as well as the EU-US Umbrella Agreement.

4. Access by Public Authorities to Data Transferred to the UK:

The EDPB noted that data collection for national security purposes or for law enforcement purposes must meet the necessity and proportionality requirements with regard to legitimate objectives pursued. The EDPB identified certain areas for further clarification and monitoring including:

  • Bulk interceptions;
  • Independent assessment and oversight of the use of automated processing tools;
  • Safeguards provided under UK law when it comes to overseas disclosure, in particular noting national security exemptions; and
  • Other forms of information sharing and disclosures from international agreements concluded by the UK with other countries.

The EDPB welcomed the establishment of the Investigatory Powers Tribunal that can hear cases on the use of the Investigatory Powers Act and other intelligence services functioning as a proper court. The EDPB noted the Investigatory Powers Commissioner is an independent judicial commissioner with independent judges. EDPB called on the EC to review the UK legal framework for appropriate safeguards through ex post oversight and redress possibilities for individuals. The EDPB noted the warrant requirement for the interception of bulk data is reviewed by an independent judicial commissioner reviewing if the warrant is necessary and proportionate to the operational purposes. The EDPB was concerned that data collected in bulk could be retained for longer periods and the EDPB also notes that in urgent cases, the IPA 2016 also allows for the modification of warrants without prior approval of a Judicial Commissioner if the Judicial Commissioner is consulted ex post within three working days. Finally, the EDPB is concerned with lower standards related to the collection of metadata.

5. Procedural and Enforcement Mechanisms:

The EDPB also analysed the following aspects of the UK Data Protection Framework as covered under the draft decision: the existence and effective functioning of an independent supervisory authority; the existence of a system ensuring a good level of compliance; and a system of access to proper redress mechanisms equipping individuals in the EU with the means to exercise their rights and seek redress.

The EDPB noted the Information Commissioner is tasked with the oversight and enforcement of the compliance with the UK GDPR and the DPA 2018. The EDPB invited the European Commission to monitor any developments regarding the allocation of resources to the ICO, which would be detrimental to the proper fulfilment of the ICO’s tasks. At the same time, the EDPB recognized that the ICO is currently one of the best funded supervisory authorities compared to those in the EEA.

What’s Next?

The EDPB opinions form an important part of the consultation process, but the ultimate decision will be made by the European Commission. The EU Commission will now seek approval on the UK adequacy decision from representatives from each of the EU Member States and will then adopt a final decision regarding adequacy. The EU Commission has indicated it expects to make a final adequacy decision before the six-month bridging period ends in June. Once adopted the UK adequacy decision will be valid for four years at which time the adequacy decision will be reviewed.

Join your peers and get the latest GRC, Privacy, Security and Regulatory updates delivered straight to your inbox

Read more about our tailor-made software for data privacy and integrated risk management

Relevant news & insights: