European Data Protection Board's opinion on UK data adequacy
During its 48th plenary session on the 14 April , the European Data Protection Board (EDPB) adopted two opinions on the European Commission draft Implementing Decisions, published on 19 February, on the adequate protection of personal data in the UK.
The EDPB broadly welcomes the Commission’s draft decision to grant UK data adequacy, finding many aspects of the UK data protection framework to be “essentially equivalent” to the safeguards under the GDPR. These include:
- concepts (e.g. “personal data”; “processing of personal data”; “data controller”);
- grounds for lawful and fair processing for legitimate purposes;
- purpose limitation;
- data quality and proportionality;
- data retention, security and confidentiality;
- transparency; special categories of data;
- direct marketing;
- automated decision making and profiling.
The EDPB even goes a step further to state that UK data protection law includes principles that go beyond than what is required for a country to be granted adequacy by the EU; therefore, elevating the level of protection provided for in the UK.
While the EDPB does not expect the UK legal framework to replicate European data protection law, as a former Member State, there is significant mirroring of EU law in the UK GDPR and the DPA 2018 (aka. the UK data protection framework). Such content principles include the ones related to personal data breach notifications, the data protection officer, data protection impact assessments and data protection by design and by default.
However, despite finding “strong alignment” between the GDPR and the UK data protection framework, the EDPB’s tone is hesitant and cautious, urging the Commission to subject the UK’s framework to more detailed scrutiny with regards to:
- The UK’s intention to develop separate and independent policies in data protection, which may lead to significant divergence from EU data protection law.
- Safeguards of personal data under the “broadly formulated” immigration exemption.
- Onward transfers of personal data to other jurisdictions outside of the EEA.
- The interplay between the UK data protection framework and its international commitments, such as the UK-US Cloud Act Agreement, or other information sharing agreements which are inaccessible by the public such as the UK-US Communication Intelligence Agreement.
- The effectiveness of the UK’s practice on procedural and enforcement mechanisms through the Information Commissioner’s Office.
- Access by public authorities to data transferred to the UK under national security and surveillance laws.
Aside from calling on the Commission to keep a close eye on developments in the UK that may affect the level of protection of personal data, the EDPB consistently reminds the Commission of the powers it has at its disposal to suspend, amend or even repeal the adequacy decision. The EDPB has also welcomed the Commission’s decision to introduce a sunset clause of four years for the draft decision. This would be the first EU adequacy decision to include a sunset clause where adequacy is not renewed without a reassessment.
The bridging mechanism, as agreed under the Trade and Cooperation Agreement, allows for the unrestricted transfers of personal data from the EEA to the UK until 1 May 2021. However, this deadline may be extended to 1 July 2021 upon agreement from both sides, until the final UK data adequacy decision is formally adopted by the European Commission after seeking approval from the European Council via the Comitology process. Should the Commission not adopt the data adequacy decision for the UK, businesses will need to use alternative tools and safeguards such as Standard Contractual Clauses to transfer personal data from the EEA to the UK. More on techUK's brexit hub.
To read our full explainer about data adequacy, click here.
Alessandra is techUK’s Policy Manager for Data. She leads techUK’s working groups on Data Protection and Open Data and supports members on key issues such as the UK’s National Data Strategy.
Prior to working for techUK, Alessandra was a Consultant for a Public Policy firm based in London where she helped international technology companies navigate the risks and opportunities of digital policy. Alessandra has experience working for the European Asylum Support Office, the Malta High Commission in London during Malta’s first rotating presidency of the Council of the EU, and the European Parliament Information Office in Valletta. She holds an MSc in Public Policy and a B.A in European Studies.