April 19, 2021
At its 48th Plenary Session on 14 April 2021, the EDPB adopted two Opinions on the draft UK adequacy decisions: (i) Opinion 14/2021 based on the GDPR, assessing general data protection aspects and government access to personal data transferred from the EEA for the purposes of law enforcement and national security, including the legal remedies available to individuals in the EEA; and (ii) Opinion 15/2021 based on the Law Enforcement Directive (LED).
In Opinion 14/2021, the EDPB says that its key objective is to give an opinion to the European Commission on the adequacy of the level of protection afforded to individuals in the UK. It said it is important to recognise that the EDPB does not expect the UK legal framework to replicate European data protection law. However, to be considered as providing an adequate level of protection, Article 45 GDPR and the case-law of the CJEU require the third country’s legislation to be aligned with the essence of the fundamental principles enshrined in the GDPR. The UK data protection framework is largely based on the EU data protection framework. Moreover, the UK Data Protection Act 2018, which came into force on 23 May 2018 and repealed the UK Data Protection Act 1998, further specifies the application of the GDPR in UK law, in addition to transposing the LED and granting powers and imposing duties on the Information Commissioner’s Office. Therefore the EDPB recognises that the UK has mirrored, for the most part, the GDPR in its data protection framework. It notes the strong alignment on certain core provisions, such as: concepts (e.g., “personal data”; “processing of personal data”; “data controller”); grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; direct marketing; automated decision making and profiling.
Nonetheless, challenges remain and the EDPB considers that certain items should be further assessed to ensure that the essentially equivalent level of protection is met. These include:
- monitoring the evolution of the UK legal system on data protection as a whole: the UK Government has indicated its intention to develop separate and independent policies in data protection with a possible will to diverge from EU data protection law; this possible future divergence might create risks for the maintenance of the level of protection provided to personal data transferred from the EU and the EDPB invites the European Commission to closely monitor any changes and take necessary action, including amending and/or suspending the decision if necessary;
- general data protection aspects:
- the so-called “immigration exemption”, in Schedule 2 to the Data Protection Act 2018, Part 1, paragraph 4 is “broadly formulated” the EDPB says, and it calls on the Commission to provide further information on it, in particular in relation to the necessity and proportionality of such a broad exemption in UK law;
- in relation to onward transfers that might undermine the level of protection of personal data transferred from the EEA, the EDPB calls on the Commission to monitor the situation and if the essentially equivalent level of protection of personal data transferred from the EEA is not maintained by the UK, it should consider amending the adequacy decision to introduce specific safeguards for data transferred from the EEA and/or to suspend the adequacy decision;
- on the absence of protections under Article 48 GDPR, which covers “Transfers or disclosures not authorised by Union law”, the EDPB invites the Commission to provide further assurances and specific references to the UK legislation that ensure that the level of protection under the UK legal framework is essentially equivalent to the level of protection guaranteed in the EEA; and
- on procedural and enforcement mechanisms, the EDPB notes that a data protection framework consistent with the EU one must be characterised by the existence and effective functioning of an independent supervisory authority, the existence of a system ensuring a good level of compliance, and a system of access to appropriate redress mechanisms equipping individuals in the EEA with the means to exercise their rights and seek redress; the EDPB invites the Commission to monitor any developments in the UK legal framework and practice that might lead to detrimental impacts in these areas;
- access by public authorities to data transferred to the UK: the EDPB notes the significant changes in the UK legal framework applicable to security and intelligence agencies, especially regarding the interception and acquisition of communication data; the EDPB welcomes the fact that the UK has established the Investigatory Powers Tribunal and introduced “Judicial Commissioners” in the Investigatory Powers Act 2016; however, the EDPB invites the Commission to further assess and demonstrate that, even in cases where the double-lock procedure does not apply, the UK legal framework provides for appropriate safeguards; the EDPB also considers that further clarification is needed on bulk interceptions in order to clarify the extent to which access to personal data meets the threshold set by the CJEU, and which safeguards are in place to protect the fundamental rights of individuals whose data are intercepted, including data retention periods.
The EDPB concludes that the UK adequacy assessment is unique because of the previous status of the UK as an EU Member State. Accordingly, the EDPB recognises many areas of convergence between the UK and the EU data protection frameworks. However, the EDPB has identified a number of challenges and it says that the European Commission must monitor relevant developments in the UK. To access the Opinions in full, click here.