UK Adequacy Decision
May 31st, 2021
Last week, EU lawmakers have endorsed two resolutions, sending a strong political message to the European Commission on data transfers to third countries, especially with the United States and the United Kingdom.
The first resolution calls on the Commission to develop clear guidelines on EU-US data flows in line with the “Schrems II” ruling and the opinion of the European Data Protection Board (EDPB).
UK adequacy decision under the General Data Protection Regulation (“GDPR”)
We will focus more on the second one, which concerns mainly the UK adequacy decision under the General Data Protection Regulation (“GDPR”). In this resolution, Members of the European Parliament ask the Commission to modify its draft decisions on whether or not UK data protection is adequate and data can safely be transferred from EU to UK in the future, without any further safeguard (additional clauses,…) being necessary.
Indeed MEPs, following concerns raised by the EDPB, consider that the assessment carried out by the Commission at the basis of its draft adequacy decision was incomplete and inconsistent with Court of Justice of the European Union (“CJEU”) requirements for adequacy assessment.
The main concerns relate to the way the Commission assessed the UK legislation (theoretical analysis, but not its actual application in practice), to UK enforcement processes, to the data processing for immigration purposes, to the UK laws that allow government agencies to collect bulk data, and its position regarding international agreements and data transfers (see below).
The resolution also states that, if the Commission adopts its implementing decisions before solving the issues mentioned, national data protection authorities are requested to suspend transfers of personal data to the UK when indiscriminate access to personal data is possible.
Relation with third countries and data transfers
A key point of concern relates to the onward transfers, as MEPs fear the UK might sign trade agreements with third countries that would allow EU data, once in UK, to be moved to those other third-countries, without an adequate level of protection being granted or further measures in place.
Indeed, the Commission is concerned that if the UK includes provisions on data transfers in any future trade agreements, inter alia US-UK trade agreements, the level of protection offered by the GDPR would be undermined. Also, the UK’s application to join the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) could have implications for data flow to countries that do not have an adequacy decision from the EU.
A different point of view
Several political groups emphasized the need for strong data rights in Europe and the dangers of mass surveillance, with others arguing that the UK has a high level of data protection- having data protection laws similar to EU laws- and that the UK adequacy decisions will help businesses.
Furthermore, a coalition of 16 tech and business groups defended that “the negative consequences of an interruption in data flows would be substantial to businesses in the UK and EU, given the EU remains the UK’s main trading partner and EU exports to the UK in 2019 alone amounted to approximately €430 billion.” The group also suggested that “a successful EU-UK process” could serve as a benchmark for negotiations for a EU-US Privacy Shield replacement. Given the Commission’s track record on Safe Harbour and Privacy Shield 1.0 that seems a bit of a leap.
Next steps
The Commission is expected to decide if it amends or not, and adopt its UK adequacy decision -meaning the continuation of data transfers from EU to UK without further measures necessary- in the coming months. The Belgian Commissioner for Justice, Didier Reynders, stressed that the UK’s data protection regime is largely similar to the EU’s. However, future divergence is possible, and this is why the adequacy decision’s four-year sunset clause is very necessary, he pointed out.
Parliament urges the Commission and the UK authorities to address all these issues and insists that no adequacy decision should be granted. In particular, regarding the issue of mass surveillance, MEPs specify that no-spying agreements between member states and the UK could help solve matters and consequently facilitate adequacy in the future.
”“The Commission must not repeat the same mistakes by negotiating and signing off on data transfer agreements with third countries, including the United States and the United Kingdom. We do not want to witness a ‘Schrems III’ case.”
Juan Fernando López Aguilar,S&D chair of the LIBE committee and rapporteur for data protection adequacy