Free flow of data from the EU to the UK hangs in the balance
In a resolution narrowly passed on Friday 21 May, Members of the European Parliament have asked the European Commission to amend its draft UK adequacy decisions.
The draft decisions are currently seen as being inconsistent with EU law and case law, as well as inadequately addressing concerns, particularly surrounding access to personal data by UK intelligence authorities. The UK Government’s stance on data protection is also being called into question.
Others have stressed the UK has a high level of data protection and adequacy decisions would both help businesses and facilitate crime-prevention across borders.
However, in the resolution MEPs have said should the Commission adopt its adequacy decisions before the UK resolves specific issues, it would request national data protection authorities suspend the transfer of personal data to the UK.
How did we get here?
As we approached the end of the Brexit transition period, there were concerns about how cross-border data transfers from the EU to the UK would work in light of restrictions under GDPR for data transfers to third countries (i.e. countries outside the European Economic Area) and under the EU Law Enforcement Directive.
In December’s Trade and Cooperation Agreement there was a reprieve. It allowed for data transfers to continue temporarily (without the need for additional safeguard mechanisms). This allowed some time for the EU to assess whether the UK should receive adequacy status. If agreed this would then allow for the free flow of data on a more permanent basis.
This was swiftly followed up in January with news of draft EC adequacy decisions.
The European Data Protection Board (EDPB) then announced in April it had adopted two opinions on the UK adequacy decisions.
These were largely positive and noted there were “key areas of strong alignment between the EU and UK data protection frameworks”. In other words, pointing to the UK’s implementation of UK GDPR, which is largely identical to EU GDPR.
What concerns do MEPs have?
There are four key areas cited as cause for concern and why MEPS have asked the EC to amend its decisions.
1) The processing of personal data for immigration purposes
Issues have been raised about individuals’ rights in relation to the UK’s immigration policy and there is a call for the UK Data Protection Act to be amended in this regard before an adequacy decision can be granted.
2) Lack of GDPR enforcement
Concerns have been raised about the lack of enforcement of GDPR in the UK while it was still a member of the EU. There are also worries about statements made by Boris Johnson about how the UK will seek to diverge from EU data protection rules and the UK’s National Data Strategy.
3) The onward transfer of personal data
It was highlighted that the UK has said it will make its own adequacy decisions moving forward and these could be inconsistent with EU decisions. For example, if there is an adequacy decision allowing for the free flow of data from the EU to the UK, the UK could then grant adequacy to another third country which the EU did not agree with, allowing for EU citizens data to be transferred to a third country via the UK.
Some MEPS also expressed concerns that as UK will not fall under the jurisdiction of the Court of Justice of the EU (CJEU), UK courts could no longer apply the EU Charter of Fundamental Rights.
4) Mass surveillance
There are concerns the draft decisions don’t fully take into account the national security exemption in UK data protection law, the bulk collection of metadata and the ‘Five Eyes agencies’ which share all intelligence data.
MEPs say if UK surveillance law is not amended “no spying agreements” between EU countries and the UK could be a potential solution. These would prohibit the spying of data on citizens and companies.
What’s clear is there are significant hurdles to overcome.
Over the last few years, many organisations have implemented measures to protect themselves against a no-adequacy decision. This is largely through ensuring safeguard mechanisms are in place such as Standard Contractual Clauses or intra-group Binding Corporate Rules.
For those that haven’t made preparations, the window given for the EU’s adequacy assessment was four months, with a possible extension to six months. The clock is ticking; and time may be running out.
Philippa Donn, May 2021
Also see UK Data Protection Law post Brexit
Data protection team over-stretched or need some specialist support? Find out how we can help with no-nonsense practical privacy advice – Contact Us.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.