The European Data Protection Board states a position on the possible United Kingdom adequacy decision

2021-04-28T17:09:00

On April 13, the European Data Protection Board (EDPB) published opinions on the two draft adequacy decisions for international personal data transfers to the United Kingdom published by the European Commission in February. There are two draft decisions, one related to the GDPR and another to Directive (EU) 2016/680 on investigating and prosecuting offenses. If the adequacy decisions are confirmed, it will be possible to continue data transfers between the EU and the United Kingdom with no need for additional guarantees.

The European Data Protection Board states a position on the possible United Kingdom adequacy decision
April 28, 2021

On April 13, the European Data Protection Board (EDPB) published opinions on the two draft adequacy decisions for international personal data transfers to the United Kingdom published by the European Commission in February. There are two draft decisions, one related to the GDPR and another to Directive (EU) 2016/680 on investigating and prosecuting offenses. If the adequacy decisions are confirmed, it will be possible to continue data transfers between the EU and the United Kingdom with no need for additional guarantees.

The EDPB reminds that—in particular under the General Data Protection Regulation—to determine the existence of an adequate level of protection, Article 45 and the position of the Court of Justice of the European Union require that the third country’s law must be aligned with the essence of the fundamental principles enshrined in the GDPR.

After analyzing the law and practice in the United Kingdom, the EDPB has identified many aspects that are essentially equivalent, given its previous status as an EU Member State.

That being said, there are many challenges. First, monitoring the development of British law on data protection as a whole. The British government recently stated its intention to develop policies that could entail differences from the European framework, with the consequent risk in terms of maintaining an appropriate level of protection for personal data transfers.

Second, the EDPB requested that the European Commission include more information on the immigration exemption in the adequacy decision, particularly in relation to the need for and proportionality of such a broad exemption in UK law.

The Board also highlighted the risk that agreements between the UK and third countries in relation to data transfers may undermine the level of protection.

Fourth, with regard to the public authorities’ access to data transferred to the UK—which proved key in declaring the Privacy Shield invalid in the Schrems II judgment—the EDPB pointed to the need for further clarification of the cases permitting access to or use of personal data without the approval of the Investigatory Powers Commissioner or the Judicial Commissioners.

In turn, the opinion urges the European Commission to continue assessing and demonstrating that UK law offers adequate safeguards, whether through effective ex post supervision or by fully exercising rights of individuals, e.g., appeal before the courts.

The EDPB therefore invites the European Commission to oversee those challenges carefully, complying with its control function and taking the required measures in the event that the protection level of personal data transferred is compromised, incorporating specific safeguards and amending or even suspending the adequacy decision when necessary. It should be highlighted that the adequacy decision prepared by the Commission would be the first to include a sunset clause.

Of course, the challenges raised here will remain under study by the European institutions over the coming years. We will remain watchful of the relevant events in the United Kingdom that may affect the essential equivalence of the level of personal data protection and will report any developments in this blog.

Authors: Josu Andoni Eguiluz and Miquel Peguera

April 28, 2021