EDPB Opinions on UK Adequacy: Strong Alignment but Challenges Remain

On 19 February 2021, the European Commission published its draft UK adequacy decision that allowed for continued free flow of personal data from the EU into the UK. On 13 April 2021, the EDPB delivered Opinion 14/2021 for transfers of personal data under the GDPR and Opinion 15/2021 for transfers of personal data under the Law Enforcement Directive.

AREAS OF STRONG ALIGNMENT

The EDPB notes that there are many areas of convergence between UK and EU data protection frameworks such as the following:

• Concepts of personal data, processing of personal data, and the data controller
• Grounds for lawful and fair processing for legitimate purposes
• Purpose limitation
• Data quality and proportionality
• Data retention, security, and confidentiality
• Transparency
• Special categories of data
• Direct marketing
• Automated decision-making and profiling

AREAS OF CONCERN / CHALLENGES

Despite the areas of convergence, there are certain aspects in the UK data protection framework that need to be closely monitored by the European Commission to ensure that the essentially equivalent level of protection is met.

Some of the aspects highlighted by the EDPB are as follows:

Immigration Exemption:

The immigration exemption in the UK data protection framework restricts data subjects’ rights to information, access, rectification, erasure, restriction of processing, and object to the extent that giving effect to these rights is likely to prejudice the maintenance of effective immigration control. It applies to controllers who process personal data for immigration control purposes or transfer data to controllers who are responsible for such processing. The EDPB notes that the exemption is broadly formulated and there is a lack of a legally binding instrument that clarifies its scope.

2. Restrictions on onward transfers:

There are certain aspects of the UK legislative framework concerning onward transfers that might undermine the level of protection of personal data transferred from the European Economic Area (EEA). In this regard, the EDPB recognizes the following challenges:

• The first challenge relates to the recognition of third countries, international organizations, or territories as adequate recipients by the UK.
• The second challenge relates to the upcoming review of the already existing adequacy decisions. This means that certain countries that benefited until now from an adequacy decision may no longer provide for an essentially equivalent level of protection taking into account the current EU legislation and recent case laws. However, the fact that the UK has already recognized those countries as providing for an adequate level of protection is a matter of consideration.
• The third challenge relates to the onward transfer of personal data from the EEA to non-adequate countries based on transfer tools provided in Articles 46 and 47 of the UK GDPR.
• The fourth challenge relates to international agreements concluded or to be concluded in the future by the UK and the possible direct access to EEA personal data by authorities from third countries to such agreements. The EDPB has strong concerns about the already concluded UK-US CLOUD Act Agreement that came into force in July 2020. The EDPB notes that it may affect the substantive and procedural conditions under which personal data held by data controllers or processors in the UK can be directly accessed by US authorities, thereby impacting the level of protection guaranteed under UK law.
• The fifth challenge relates to the application of derogations for the transfers of personal data to a third country and the ICO’s interpretation of those derogations.
• The sixth challenge relates to the absence of essentially equivalent protections provided under Article 48 of the GDPR in the UK legal framework.

3. Access and use of personal data transferred from the EU by public authorities in the UK:

In relation to the access of personal data by public authorities in the UK, the EDPB recommends the European Commission to assess the following aspects of the UK legal framework:

• The possible use of consent in a law enforcement context
• The day-to-day data collecting operations of law enforcement agencies such as the GCHQ and NCA and the legal framework applicable to them for the processing of personal data
• The use of essential guarantees for national security purposes
• The possible impact of restrictions in relation to the further use of the information collected for the law enforcement purposes
• The legal basis of the use of personal data for purposes other than for law enforcement within the UK but the data was originally collected for the law enforcement purposes
• Any international agreements that may affect the application of UK data protection law
• The independence of the Surveillance Camera Commissioner, the Commissioner for the Retention and Use of Biometric Material, and judicial commissioners who are not serving as judges.
• The oversight mechanisms with regard to security certificates issued under the Data Protection Act 1998
• Data subjects have the right to request the High Court to compel a controller to correct or delete their personal data without unnecessary delay.
• The scope of exemptions for national security purposes

4. Investigatory powers exercised in the context of national security:

The Investigatory Powers Act 2016 sets out the extent to which certain investigatory powers may be used to interfere with privacy. The EDPB notes the following points of attention in relation to the scope of the application of the IPA 2016:

• The first point of attention relates to intentionally broad definitions of telecommunications operators, telecommunications service, and telecommunications system, among other similar terms. The EDPB recommends the European Commission assess these definitions keeping in consideration the proportionality of the interception measures.
• The second point of attention is the lack of clarity on whether or not data from establishments of telecommunications operators outside the UK is covered within the broad definition of “telecommunications operators”, to the extent that data of EEA data subjects are concerned.
• The third point of attention concerns the scenarios for which lawful interceptions and bulk acquisition of communications data is possible without the approval of  the Investigatory Powers Commissioner or the judicial commissioners.

5. Bulk interception of data:

The EDPB notes that there is a need for the assessment of bulk interceptions, in particular, the selection and application of selectors in the context of bulk interception procedures and whether or not safeguards are in place to protect the fundamental rights of individuals whose data are intercepted in this context.

6. Further use of the information collected for national security purposes and overseas disclosure:

The application of national security exemption provided under the UK law may compromise the principles of purpose limitation, necessity and proportionality, and data subjects’ rights in the third country of destination. Therefore, the EDPB recommends the European Commission to examine the overall safeguards provided under the UK legal framework when it comes to overseas disclosures, in light of the application of national security exemption.

What is Next?

The European Commission will now seek approval on the UK adequacy decision from the representatives of each member state. Following that, it will adopt a final decision regarding the UK adequacy. The UK is likely to be approved as an adequate country. However, the fact that the EDPB highlighted many areas of concern in the UK legal framework reflects an extremely cautious and objective approach towards cross-border data transfers. This approach indicates that the UK adequacy decision will be subject to regular reviews and monitoring by the European Commission.