In a letter to the European Parliament dated 15 June 2020, Andrea Jelinek, chair, European Data Protection Board (EDPB) raises concerns over the UK’s endeavour to reach an ‘adequacy decision’ with the EU following the end of the Brexit transition period.
GDPR will remain within UK domestic law under the European Withdrawal Agreement which includes a transition period that will run until 31 December 2020.
The UK Government and EU will use this transition period to negotiate an agreement which may mean the UK’s 2018 Data Protection Act will be deemed ‘adequate’ by EU counterparts. Should this adequacy decision not be successful, the UK will be required to amend its legislation or risk noncompliance with EU law and face the penalties that come along with it.
The letter begins by addressing the agreement made between the UK and the US on Access to Electronic Data for the Purpose of Countering Serious Crime, signed 3 October 2019.
Qualifying that the letter is an initial “preliminary analysis” Jelinek questions whether the UK was in a capacity to enter an agreement with the US as to regulating access to personal data between both countries for the purpose of preventing and prosecuting serious crime.
She explains that in light of the potential adequacy decision for the UK, “the EDPB considers that the agreement concluded between the UK and the US will have to be taken into account by the European Commission in its overall assessment of the level of protection of personal data in the UK, in particular as regards the requirement to ensure continuity of protection in case of “onward transfers” from the UK to another third country.”
Jelinek highlights that given the “EU acquis in the field of data protection, and in particular with the GDPR and the law enforcement directive” the EDPB has reservations as to whether the safeguards in the agreement for access to personal data in the UK would apply in certain circumstances requiring disclosure obligations to the US.
The letter says that the level of personal data protection, including procedural conditions for access to personal data must be ensured consistently throughout the Union. If the approach to data consistency is deemed to be inconsistent or inadequate on the part of the UK, this poses a significant risk to the likelihood of the UK attaining an adequacy decision.
Jelenik’s letter concludes: “Should the European Commission present a draft adequacy decision for the UK, the EDPB will provide its own assessment in a dedicated opinion.”
Since Brexit on 31 January 2020, the UK is now considered a ‘third country’ under GDPR until 2021. This means that where personal data flows from the EU to UK, firms dealing with this data must ensure necessary contractual provisions are in place across their operations.
The ideal outcome for the UK would see the EU grant an ‘adequacy decision’ to the UK which would deem the UK’s data protection laws sufficiently robust to satisfy GDPR standards. In conversation with Finextra Research, Matthew Whalley, associate partner, EY Financial Services Law discussed the topic late last year: “Because of the prevalence of data in today’s world and the need to transfer it across borders, there are multiple advantages in pushing for an adequacy decision on the basis that the EU is our closest and largest trade partner.
“That would likely be the preferred option from an EU perspective. But the key for the UK here would be the requirement to continuously update our own data protection laws to match any changes made by the EU.” While the UK has its own data protection laws in place, doubts linger over the likelihood that the EU would grant an adequacy decision in favour of the UK.
First, as the UK will not retain the EU’s Charter of Fundamental Human Rights the protection of personal data would no longer be treated as a fundamental human right as it is in Article 8 of the Charter. Second, the UK’s Investigatory Powers Act 2016 may be deemed incompatible with GDPR, nor are the UK’s surveillance laws considered to have the necessary protections to be afforded the right to privacy.
“I think that the bigger thing that would impact an adequacy decision is national security and our approach to accessing personal data for reasons of national security,” Whalley furthered, pre-empting the position the EDPB proposed in its letter this week.