In encouraging news for UK-based organisations involved in the processing of personal data, the European Data Protection Board (EDPB) has adopted two Opinions on the draft UK adequacy decisions which, if approved, would allow the transfer of personal data from the European Economic Area (EEA) to the UK to continue freely.
The first Opinion (Opinion 14/2021) relates to the GDPR and considers general data protection issues and also government access to personal data transferred from the EEA for national security and law enforcement purposes set out in the draft adequacy decision. The second Opinion (Opinion 15/2021) relates to the Law Enforcement Directive (LED) and considers various issues.
The EDPB observes that there are significant areas of clear affiliation between the EU and UK regarding a number of key data protection requirements, such as purpose limitation, security and confidentiality, grounds for fair and lawful processing, transparency and data quality and proportionality, among others.
Having said that, the EDPB also notes that various points should be considered further and/or closely monitored by the European Commission in its decision based on the GDPR, including, for instance, the application of restrictions to onward transfers of EEA personal data transferred to the UK on the basis of, for example, future adequacy decisions adopted by the UK.
The EDPB also considers access by public authorities for national security purposes to personal data transferred to the UK. While the EDPB notes that various issues require further clarification and/or monitoring, such as the issue of bulk interceptions and safeguards under UK law regarding overseas disclosure, the EDPB notes with approval the introduction of the Investigatory Powers Tribunal to help tackle issues of redress regarding national security and the establishment of Judicial Commissioners in the Investigatory Powers Act 2016 to help improve oversight.
The EDPB has acknowledged that many areas of UK data protection law are “essentially equivalent” to EU data protection law, although it also notes that laws can be updated and therefore believes that changes in UK data protection law should be kept under review by the European Commission. Although not a completely unequivocal endorsement of the UK’s adequacy decisions by the EDPB, this looks like a step in the right direction for the UK.
EDPB Chair, Andrea Jelinek said: "The UK data protection framework is largely based on the EU data protection framework. The UK Data Protection Act 2018 further specifies the application of the GDPR in UK law, in addition to transposing the LED, as well as granting powers and imposing duties on the national data protection supervisory authority, the ICO. Therefore, the EDPB recognises that the UK has mirrored, for the most part, the GDPR and LED in its data protection framework and when analysing its law and practice, the EDPB identified many aspects to be essentially equivalent. However, whilst laws can evolve, this alignment should be maintained. So we welcome the Commission's decision to limit the granted adequacy in time and the intention to closely monitor developments in the UK.”