At the beginning of 2021, the European Commission laid out its adequacy decision for the UK which deems the UK’s privacy legislation essentially adequate to that of the European Union. There are six reasons based on which the UK’s adequacy will be granted, including the UK’s solid constitutional framework, the oversight and enforcement, and the material and territorial scope of the data protection framework. This article aims to outline the most important points made by the European Data Protection Board (EDPB) in its recently published opinion regarding the European Commission’s Draft Implementing Decision pursuant to the EU GDPR on the adequate protection of personal data in the United Kingdom.
What you need to know, in a nutshell
- The EDPB recognises that the UK’s privacy framework is essentially similar to the regime in the EU
- The immigration exemption is broadly formulated, and therefore it would be essential to identify the existence of additional safeguards, and whether such safeguards could be envisaged through legally binding instruments to enhance foreseeability and protection of the data subjects.
- The possibility of undermining the level of protection of personal data transferred from the EEA given that the UK has capacity under its legal framework to provide adequacy status to territories that may not be deemed adequate under the EU framework.
- The transfers of personal data from the UK to third countries is based on the UK GDPR, and that following Schrems II, the UK’s adequacy status will need to require the implementation of effective safeguards to ensure protection in the country of destination.
In this article
- Areas of assessment
- Divergence that might create risk for the maintenance of the level of production of personal data
- Immigration exemption
- Onward transfers
- UK privacy on the international stage
On 31 December 2020, the transition period following Brexit ended and the United Kingdom officially became a third country meaning that the General Data Protection Regulation (Regulation (EU) 2016/679) (EU GDPR) will no longer apply directly in the UK. However, the Data Protection Act 2018 (DPA 2018) enacted the EU GDPR provisions into UK law, and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 amended the DPA 2018 to create a UK customised regime in the form of the UK General Data Protection Regulation (UK GDPR).
Explore the future of GDPR in the UK, whether the UK will gain adequacy, and what this could mean for your business when handling GDPR and data privacy-related topics, and more.
Areas of assessment
The EDPB recognises that the UK’s privacy framework is essentially similar to the regime in Europe, however, at the same time, the EDPB highlighted that it does not expect the UK’s legal framework to replicate the European Data Protection Law. Read here, why privacy is important in the UK.
At the same time, the EDPB emphasises that when providing an adequacy status to a third country, Article 45 of the EU GDPR and the case law of the Court of Justice of the European Union must be closely considered given the required alignment with the fundamental principles enshrined by the EU GDPR.
Given the fact that the UK is a former member of the EU, it is evident that the EDPB identified many aspects in the UKs law and practice that are equivalent to those in the EU, therefore, the EDPB exercised its role by looking closer at the aspects which require more attention, including:
- The divergence that might create risk for the maintenance of the level of protection provided to personal data transferred from the European Economic Area (EEA) to UK
- The immigration exemption, which is broadly formulated, and therefore, EDPB asks the European Commission to provide information on the necessity and proportionality of this exemption
- The possibility of undermining the level of protection of personal data transferred from the EEA, particularly with regard to onward transfers
- The interplay between the UK’s privacy regime and its international commitments that are enshrined in the international agreements between the UK and any other third countries (e.g., the UK-US Cloud Act Agreement on countering serious crime)
- The need to gather further clarification of the scenarios for which a lawful interception is allowed without the approval of the Investigatory Powers Act Commissioner or the Judicial Commissioners
Divergence that might create risk for the maintenance of the level of protection of personal data
The UK Government declared that it intends to develop separate and independent policies in data protection that may steer away from the EU’s data protection framework. Such changes pose a significant risk to the protection of personal data. Therefore, the European Commission is invited to maintain a close oversight on such political developments in order to amend or suspend the UKs adequacy status if necessary.
The exemption is laid down under, Schedule 2 of the DPA 2018, and it also applies in cases where personal data is not collected for immigration purposes and is then made available to data controllers which process this data for immigration control purposes. Additionally, the European Commission is invited to expand the information provided regarding the immigration exemption, particularly looking at the necessity and proportionality in the UK’s legal framework. Moreover, the EDPB emphasised that further exploration into the UK’s legal framework would be essential to identify the existence of additional safeguards, or to explore whether such safeguards could be envisaged through legally binding instruments in order to enhance foreseeability and protection of the data subjects.
Even though the UK mirrored most part of the Chapter V of the EU GDPR, the EDPB identified that the UK’s legal framework could undermine the level of protection of personal data granted by the EU GDPR when such data is transferred from the EEA. Article 44 of the EU GDPR provides that the transfer and onward transfers shall only proceed if the level of protection of personal data in the third country of destination is essentially equivalent to that under EU law. Now that the UK is not part of the EU, it has capacity under its legal framework to provide adequacy status to territories in light of the UK’s data protection regime. This means that there is a high chance that such territories, if deemed adequate by the UK, may not benefit from an adequacy status granted by the European Commission. Therefore, in such event, the level of protection of personal data granted by the EU law will be heavily undermined by onward transfers.
UK and privacy on the international stage
The UK can conclude international agreements with third countries which could also undermine the level of protection of personal data granted by the European Commission. Therefore, EDPB emphasises the importance of examining the interplay between the UK’s data protection regime and its international commitments. An example of such an international agreement, is the UK-US Cloud Act Agreement on countering serious crime. Additionally, the EDPB underlined the importance of analysing whether the UK-US Cloud Act Agreement ensures appropriate safeguards considering the sensitivity of the data. Moreover, the EDPB asks the European Commission to provide assurances that the transfers of personal data from the UK to third countries is based on the UK GDPR, and that following Schrems II, the UK’s adequacy status will require the implementation of effective safeguards in order to protect the personal data in the country of destination.
The EDPB outlined the positives in the establishment of the Investigatory Powers Tribunal highlighting that the Tribunal functions as a proper court in the meaning of Article 47 of the Charter of Fundamental Rights of the European Union. Furthermore, the EDPB highlighted that the introduction of the Judicial Commissioner in the Investigatory Powers Act 2016 is a significant improvement, however, in order to effectively assess the level of oversight, it is necessary to receive further clarification of the scenarios for which lawful interception without approval by the Judicial Commissioners is possible. Additionally, it is essential to have clarity and assessment of bulk interceptions, particularly on the selection and application of the selectors, in order to clarify the extent to which access to personal data meets the threshold set by the Court of Justice of the European Union, and which safeguards are in place to protect the fundamental rights of individuals whose data is intercepted in this context, including the retention of such data.
Currently the level of protection granted to personal data in the UK is effectively similar to the protection granted by the European Union. Even though there is a high chance that such level of protection could change in the future, it can be seen that both the UK and the EU cooperate to maintain the free flows of data considering that this is crucial for high-value industries such as technology, banking, insurance, and other financial services.