European Parliament Rejects UK Draft Adequacy Decisions

On 21 May 2021, the European Parliament adopted, with 344 in favour, 311 against and 28 abstaining, a Resolution urging the European Commission to amend draft UK adequacy decisions.

In this Resolution, members of the European Parliament (MEPs) view that the Commission would be going beyond its implementing powers if it adopts the draft UK adequacy decisions without having addressed all the concerns expressed in the Resolution. The Parliament also requests national data protection authorities to suspend the transfer of personal data which might be subject to indiscriminate access by UK intelligence authorities, if the Commission were to adopt its adequacy decisions without having addressed all the concerns raised.

Let’s look into some of the concerns raised by the MEPs:

1. GDPR enforcement:
   • MEPs express concern about the lack of enforcement of the GDPR by the UK when it was still a member of the EU. They note that non-enforcement is a structural problem, as laid out in the ICO’s regulatory action policy.
   • MEPs note that the UK’s national data strategy (as updated on 9 December 2020) suggests that there will be a switch from the protection of personal data towards increased and wider use and sharing of data. It’s approach that “withholding data can negatively impact society” is not compatible with the principles of data minimisation and purpose limitation under the GDPR.
2. Data processing for immigration control:
   • MEPs are strongly concerned about the immigration control exemption in the UK legal framework. This exemption restricts data subject’s rights to the extent that giving effect to their rights is likely to prejudice the maintenance of effective immigration control. It applies to data controllers who process personal data for immigration control purposes or transfer data to controllers who are responsible for such processing.
   • MEPs note that such exemption does not ensure an adequate level of protection as it removes key opportunities for accountability and remedies. Therefore, this exemption needs to be amended before a valid adequacy decision can be issued.
3. Mass surveillance:
   • MEPs consider it unacceptable that the draft adequacy decisions fail to take into account the lack of limitations on the use of UK bulk data powers or the actual use of UK-US surveillance operations. This includes the fact that there is no effective substantive oversight by the ICO or the courts over the use of national security exemption in the UK data protection law.
   • MEPs call on the member states to enter into no-spying agreements with the UK considering it to be the only feasible option to facilitate adequacy decisions if UK surveillance laws and practices are not amended.
4. Onward transfers:
   • MEPs are concerned that UK courts will no longer apply the Charter of Fundamental Rights of the European Union and the UK is not under the jurisdiction of the CJEU anymore, which is the highest instance that can interpret the Charter.
   • MEPs point out that the UK rules on the sharing of personal data under the Digital Economy Act 2017 and on onward transfers of research data are clearly not “essentially equivalent” to the rules set out in the GDPR.
   • MEPs are strongly concerned that the UK has granted itself the right to declare that other third countries or territories provide adequate data protection, irrespective of whether the third country or territory in question has been held to provide such protection by the EU.
   • MEPs are also concerned that the level of data protection would be undermined if the UK includes provisions on data transfers in any future trade agreements, such as US-UK trade agreements.
5. Law Enforcement Directive for Data Protection:
   • MEPs note that the UK’s cross-border access agreement with the US under the US Cloud Act, which facilitates transfers for law enforcement purposes, will allow undue access to the personal data of EU citizens and residents by US authorities.
   • MEPs are concerned that the safeguards provided under the EU-US Umbrella Agreement might not meet the criteria of clear, precise and accessible rules when it comes to access to personal data or might not sufficiently enshrine such safeguards so as to be effective and actionable under UK law.
   • MEPs deplore that the UK Investigatory Powers Act 2016 that replaced the Regulation of Investigatory Powers Act 2000 continues to enable the practice of bulk data retention.
   • MEPs call on the Commission to further assess and monitor the types of communications data that fall under data retention and lawful interception powers.

Some of the concerns raised by the Parliament are similar to those raised by the EDPB earlier on 13 April 2021. It is yet to be seen how the EU Parliament responds to all of the raised concerns.

It appears that the UK data protection framework will be subject to regular reviews and there is a lot of work to be done before an adequacy decision becomes effective. Our experts at Securiti will continue to monitor any developments in connection to the final UK adequacy decision to help you prepare for compliance.