The EDPB worries that adequacy agreements with the UK could allow personal data to flow to the U.S.
The European Union’s (EU) other privacy regulator has rendered its assessment on the European Commission’s (EC) adequacy decisions on the United Kingdom’s (UK) laws that would allow for the transfer of personal data from the EU to the UK under the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED). The European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski has rendered his opinion on these decisions earlier this spring (see here for detail and analysis) in which he took issue with both the substance and process of the adequacy decisions.
In the rush to reach agreement on a deal so the UK could leave the EU in orderly fashion, Britain and the EC agreed to defer some decisions, one of which was an adequacy decision to let personal data continue flowing from the EU to the UK. The EU-UK Trade and Cooperation Agreement (TCA) that governs the UK’s exit provided for a six month grace period ending on 30 June 2021, for negotiators did not work out a number of details including how the UK would be treated visa vis the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED). Under EU law, data flows out of the EU must occur in a few different ways in order that the rights of EU citizens and residents be respected in other nations. An adequacy decision is most desirable means from a trade and business standpoint, and at present less than 15 nations operate under adequacy decisions with the notable exception being the United States (U.S.) as the EU’s highest court recently struck down the second EU-U.S. adequacy decision in the last decade. The EC issued two adequacy decisions and asked the EDPS and European Data Protection Board (EDPB) to assess them:
- Draft decision on the adequate protection of personal data by the United Kingdom – General Data Protection Regulation
- Draft decision on the adequate protection of personal data by the United Kingdom: Law Enforcement Directive
While neither the EDPS nor EDPB can veto or block adequacy decisions, according to the procedure for these matters, the Parliament or the Council could take steps to have the decisions changed or try to block them. It is also possible the EC itself decides to amend the decisions or even scrap them. And so, the two privacy regulators’ opinions may prove persuasive and result in changes to the adequacy decisions. Incidentally, talks were just concluded between the EC and South Korea about an adequacy decision with that nation.
The EDPB has issued its opinions on the adequacy decisions the EC struck with the UK to allow the flow of personal data from the EU into Britain after its exit from the bloc:
- Opinion 14/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the United Kingdom
- Opinion 15/2021 regarding the European Commission Draft Implementing Decision pursuant to Directive (EU) 2016/680 on the adequate protection of personal data in the United Kingdom
Let’s start with the opinion on the GDPR adequacy decision. The Board stated its “key objective is to give an opinion to the EC on the adequacy of the level of protection afforded to individuals in the UK…[recognizing] that the EDPB does not expect the UK legal framework to replicate European data protection law.” The EDPB conceded:
However, the EDPB recalls that, to be considered as providing an adequate level of protection, Article 45 GDPR and the case-law of the Court of Justice of the European Union (hereinafter “CJEU”) require the third country’s legislation to be aligned with the essence of the fundamental principles enshrined in the GDPR. The UK data protection framework is largely based on the EU data protection framework (in particular the GDPR and Directive (EU) 2016/680 of the European Parliament and of the Council, hereinafter “EU Law Enforcement Directive” or “LED”) which derives from the fact that the UK was a Member State of the EU up until 31 January 2020. Moreover, the UK Data Protection Act 2018, which came into force on 23 May 2018 and repealed the UK Data Protection Act 1998, further specifies the application of the GDPR in UK law, in addition to transposing the EU Law Enforcement Directive, as well as granting powers and imposing duties on the national data protection supervisory authority, the UK Information Commissioner’s Office (hereinafter “ICO”). Therefore the EDPB recognises that the UK has mirrored, for the most part, the GDPR in its data protection framework.
The EDPB further explained that its opinion points to areas in the agreement that bear further examination “to ensure that the essentially equivalent level of protection is met, and should be closely monitored in the UK by the European Commission.”
The Board notes a general challenge to executing an adequacy decision with the UK. The government of Prime Minister Boris Johnson has articulated plans to revamp its data protection laws, and if this occurred, then the EC would need to reassess British law to determine if it is still equivalent to EU law. The Board urged the EC to be ready to suspend or amend the adequacy decision if necessary.
The EDPB takes issue with the UK’s immigration exemption to under the Data Protection Act 2018. In particular, “[t]he EDPB calls also on the EC to provide in the adequacy decision further information on the immigration exemption, in particular in relation to the necessity and proportionality of such broad exemption in UK law, notably having regard to the broad scope of application ratione personae.”
The Board then raises issues it sees regarding “onward transfers” (i.e., in this case, transfers of personal data from the EU to the UK that are thereafter transferred.) This issue pertains mostly to the United States (U.S.) given the historic intelligence sharing arrangement between the UK and the U.S. The EDPB noted:
Indeed, Article 44 GDPR provides that transfers and onward transfers of personal data shall only take place if the level of protection of natural persons guaranteed by the GDPR is not undermined. This means that not only the UK legislation shall be “essentially equivalent” to the EU legislation with regard to the processing of personal data transferred to the UK under the future adequacy decision, but also that the rules applicable in the UK with regard to the onward transfer of those data to third countries shall ensure that an essentially equivalent level of protection will continue to be provided.
Later in the opinion, the EDPB notes that the EC simply did not address the UK’s intelligence information sharing with the United States, among the other Five Eyes partners. Of course, to the extent this represents a means by which the rights enshrined in the GDPR and in other EU legal instruments may be transgressed, this was likely the case while the UK was part of the EU. The UK’s intelligence agreements have not changed in the last few years as it was slowly breaking from the EU. Consequently, the same risks to EU personal data existed before the UK’s departure from the EU even during the periods when there were U.S. adequacy decisions. And so, the EDPB’s criticisms of these practices ring a bit hollow, at least so far as it is deemed a new development that EU personal data could be sent to nations that do not comply with EU law.
In response to the prospect of EU personal data flowing to the U.S., a nation without an EC adequacy decision, and other nations, the EDPB stressed that the EC “should consider amending the adequacy decision to introduce specific safeguards for data transferred from the EEA and/or to suspend the adequacy decision.” The EDPB also called on the EC to monitor the recently executed “UK-US CLOUD Act Agreement” provides appropriate additional safeguards, and if not, to take action by amending the adequacy decision or suspending it.
Nonetheless, the Board goes on to acknowledge:
The EDPB acknowledges that the UK has mirrored in most parts the relevant provisions of the GDPR in the UK GDPR and in the Data Protection Act 2018; nevertheless, the European Commission is invited to continuously monitor any developments in the UK legal framework and practice, which might lead to detrimental impacts on those areas.
The EDPB lauded some changes in British oversight “in the UK legal framework applicable to security and intelligence agencies, especially regarding the interception and acquisition of communication data.” The Board welcomed the establishment of the Investigatory Powers Tribunal (IPT) that is empowered to hear cases on the use of investigatory techniques by both law enforcement and intelligence services. The EDPB raised questions about exceptions to the safeguards against unwarranted investigation under the “Investigatory Powers Act 2016” it thinks the EC needs to learn more about. The Board also detailed its misgivings about the UK’s bulk collection activities in light of recent EU court rulings limiting this practice.
The EDPB concluded:
- The EDPB considers that the UK adequacy assessment is unique because of the previous status of the UK as an EU Member State. Besides, it would also be the first adequacy decision including a sunset clause.
- Accordingly, the EDPB recognises many areas of convergence between the UK and the EU data protection frameworks. At the same time, however, and following a careful analysis of the European Commission’s draft decision and the UK data protection legislation, the EDPB has identified a number of challenges, which are examined extensively in this opinion. In this context, the EDPB wishes to emphasise the paramount role of the European Commission on the monitoring of all relevant developments in the UK.
- In light of the above, the EDPB recommends the European Commission to address the challenges raised in this opinion. The EDPB also invites the European Commission to monitor closely all relevant developments in the UK that may have an impact on the essential equivalence of the level of protection of personal data, and to take swiftly appropriate actions, where necessary.
Now, let’s turn to the EDPB’s opinion on the EC’s adequacy decision regarding the LED. Like its opinion on the GDPR adequacy decision, the Board cautions the EC to monitor British legislation and law to ensure it does not deviate from EU law in ways that would warrant the EC to suspend or amend the adequacy decision. In general, the EDPB found that the UK’s law comport with the EU’s with respect to the LED but noted areas of concern it is urging the EC to consider further. Again, like the other adequacy decision, the EDPB voices concern about onward transfers from the UK cand calls on the EC to ensure the third party nations have laws sufficient to protect EU rights. Again, the intelligence information sharing relationship with the U.S. is an issue, notably under the US-UK CLOUD Act Agreement.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.