On 13 April 2021, the European Data Protection Board (EDPB) adopted two Opinions on the draft UK adequacy decisions (Opinion 14/2021 and Opinion 15/2021). The EDPB noted “there are key areas of strong alignment between the EU and UK data protection frameworks on certain core provisions such as: grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling.” This comes as no surprise to many given the UK’s approach to data protection and the GDPR pre- and (for the moment) post-Brexit.
As expected, areas of concern the EDPB identifies for further assessment and/or close monitoring are:
- the immigration exemption and its consequences on restrictions on data subject rights; and
- the application of restrictions to onward transfers of EEA personal data transferred to the UK, on the basis of, for instance, future adequacy decisions adopted by the UK, international agreements concluded between the UK and third countries, or derogations.
In order to address the concerns about surveillance and national security, the EDPB “welcomes the establishment of the Investigatory Powers Tribunal to address the challenges of redress in the area of national security, and the introduction of Judicial Commissioners in the Investigatory Powers Act 2016 to ensure better oversight in that same field.” Again as expected the EDPB lists areas requiring clarification and/or monitoring as:
- bulk interceptions;
- independent assessment and oversight of the use of automated processing tools; and
- safeguards provided under UK law when it comes to overseas disclosure, in particular in light of the application of national security exemptions.
The EDPB is keen to point out that “laws evolve” and therefore any UK adequacy decision will be kept under review to ensure there is no divergence. In our earlier article (European Commission on the verge of granting 'adequacy' to the UK), Sean Illing pointed out the review mechanism the European Commission (Commission) has built into the draft adequacy decisions, i.e. they will be periodically reviewed every 4 years by the Commission, and any decision is open to challenge at the European Court of Justice.
Just to make it crystal clear, the EDPB’s Chair, Andrea Jelinek, said “we welcome the Commission's decision to limit the granted adequacy in time and the intention to closely monitor developments in the UK”.
There has clearly been some political manoeuvring to reach this outcome and to appease those Member States (or at least their Supervisory Authorities) who were not in favour of the UK attaining adequacy. The warning is there loud and clear - while alignment exists adequacy is on the cards, but too much divergence will not be accepted and the EU will be watching!
While this is a positive next step, the UK is not yet over the final hurdle. The Commission will take into account the EDPB’s Opinions and then will ask a committee of representatives from EU Member States to give the go ahead. It is worth remembering that as any adequacy decision is an “implementing act”, the European Parliament has limited power to revise or block such an act, and really only has a “right to object” if it believes the Commission has overstepped its implementing powers. Progress is being made and the Civil Liberties, Justice and Home Affairs Committee (LIBE) of the European Parliament began to consider the UK’s adequacy decisions last Monday (19 April).
So where are we? Are we actually any closer? Will this grant the certainty businesses want and need? Well these are the million dollar questions! We are one step further along the process but it is a process that needs to reach a conclusion, and a positive one at that! Timing may become an issue, although if neither party objects the bridge will automatically be extended to 30 June 2021. As for the certainty point, as with all good legal questions the answer is…it depends! In this case it depends not only on whether the adequacy decisions are granted but also what happens with UK data protection in the following 4 years prior to any decision being reviewed.
“[t]he EDPB recognises that the UK has mirrored, for the most part, the GDPR and LED in its data protection framework and when analysing its law and practice, the EDPB identified many aspects to be essentially equivalent.”