On 13 April 2021, the European Data Protection Board (EDPB) published Opinion 14/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679, on the adequate protection of personal data in the United Kingdom (Opinion). The Opinion is part of the procedure envisaging the formal adoption of the European Commission (EC) adequacy decision regarding the United Kingdom (UK), in order to safeguard the commercial relations between the EU and the UK, as the Brexit temporary solution established in the Trade and Cooperation Agreement between the EU and the UK is coming to an end (find more about this in our Flash on Transfers of Data to the UK).

Why is this important? After Brexit and the end of the transition period that followed it, the UK is considered a third country, equivalent to other countries out of the European Economic Area (EEA) in what regards the personal data protection framework. This means that transfers of personal data to the UK will become subject to the same set of rules governing transfer of data to any other third country, which vary depending on whether or not the EC issues an adequacy decision concerning the level of protection to personal data provided by the legislation of the UK. Thereby, the fact that the EC has issued a draft decision is of major importance for all stakeholders subject to the GDPR and transferring personal data to the UK.

The EDPB, when evaluating the draft decision, assessed the adequacy of the level of protection afforded in the UK, considering both: (i) general GDPR aspects and (ii) the access by public authorities to personal data transferred for the purposes of law enforcement and national security; the latest becoming particularly important after the Court of Justice decision in Privacy International v. the UK.

The Opinion provides detailed insights on the draft decision of the EC, highlighting the following:

  • The UK has implemented the GDPR as other Member States. Therefore, the personal data protection framework mirrors the European regime, with many aspects being essentially equivalent;
  • However, the EC must closely monitor the evolution of the UK data protection framework and potential amendments diverging from EU Law, and when necessary amend or suspend the adequacy decision;
  • Nonetheless, to ensure the corresponding level of protection, the EDPB considers that some aspects still need further scrutiny. Therefore, the following must still be addressed by the EC:

General aspects:

  1. The British regime does not include a provision on the cases in which it is possible for a third country Court, tribunal or administrative authority to request access to personal data originated on the EEA (similar to article 48 of the GDPR);
  2. The regime is not sufficient in relation to onward transfers and future British adequacy decisions;
  • There is lack of oversight on the use of immigration data.

The EDPB recommends the EC to provide further assurances in what regards these general aspects.

Access by public authorities to the data transferred:

  1. The cases in which it is possible for an authority to lawfully intercept communications without the approval of other entities are not clear;
  2. The British bulk interception regime is not sufficiently clarified;
  • The terms of disclosure of data collected for intelligence and national security purposes are mostly inaccessible to data subjects.

The EDPB recommends the EC to be particularly diligent regarding these aspects, ensuring there is enough oversight on the practices of public authorities.

The EDPB concludes that, notwithstanding the similarities between the British regime and the GDPR, it is of utmost importance that the EC addresses the concerns raised in the Opinion, in order to ensure an essential equivalence of level of protection of personal data between the EEA and the UK.

The VdA Team will follow any relevant updates on this matter. We will keep you informed regarding the most important developments on the relations between the UK and the EU when significant for data protection purposes, in particular when related with data transfers.

More from VdA