On 13 April 2021, the European Data Protection Board (EDPB) adopted two opinions on the European Commission’s draft adequacy decisions, which were issued in February 2021. The first relates to the transfer of personal data under the GDPR and the second to the transfer of personal data under the Law Enforcement Directive.
While these opinions are not binding on the Commission, they do carry significant weight and are a positive step towards an adequacy decision in favour of the UK. This will allow businesses to transfer data from the EEA to the UK following the end of the current ‘adequacy bridge’.
The EDPB concluded that the EU and UK GDPR regimes are strongly aligned and that the UK’s data protection framework primarily mirrors the GDPR and the Law Enforcement Directive.
However, the EDPB opinions highlight four areas of concern which it suggests the Commission should scrutinise more closely and continue to monitor.
The EDPB’s four areas of concern regarding the UK’s data protection regime are as follows:
Potential divergence from EU data protection law: The EDPB notes that the UK Government intends to develop separate and independent policies in data protection, which could diverge from the EU data protection framework. This possible future divergence may affect the level of protection given to personal data transferred from the EU.
UK's ‘immigration exception’: This exception, set out in Schedule 2 to the Data Protection Act 2018, exempts controllers involved with immigration-related activities from applying certain data subject rights (including the right to be informed and the right of access) if this would be likely to prejudice ‘the maintenance of effective immigration control, or the investigation or detection of activities that would undermine the maintenance of effective immigration control’. The EDPB considers this exception to be too broadly formulated and suggests that further clarification on its application is needed. The EDPB also asks that the Commission explores whether additional safeguards exist in the UK legal framework, or could be introduced, in relation to this exception.
Onward transfers: The EDPB recommends that the Commission considers amending the adequacy decision to introduce specific safeguards for onward transfers of EEA personal data from the UK to third countries. Such safeguards should ensure that the level of data protection is not undermined by the onward transfer from the UK to third countries and will continue to be essentially equivalent to that guaranteed in the UK.
Access by the intelligence services to data transferred to the UK: The EDPB welcomes the fact that the UK has established the Investigatory Powers Tribunal and introduced Judicial Commissioners. However, the EDPB raised concerns regarding the interception of communications under the UK’s Investigatory Powers Act 2016, which it suggests should be further assessed to ensure the UK legal framework provides appropriate safeguards that guarantee a level of protection essentially equivalent to that provided in the EU. The EDPB suggests further clarification in a number of areas, including: bulk interceptions; the conditions under which urgency can be invoked; and further independent assessment and oversight of the use of automated processing tools by UK intelligence community authorities.
So, what’s next?
The Commission will now seek approval from the representatives of each EU member state and then will adopt its final decisions regarding the UK's adequacy. Currently it expects this process to be completed within the six month bridging period that ends on 30 June 2021. If the decisions are adopted they would be valid for a period of four years, after which they may be renewed provided the UK’s data protection regime continues to be deemed adequate.