The European Commission will tomorrow (24 June) highlight the importance of the UK abiding by EU data protection rules as part of a future relationship between the two parties, in the first review of the landmark general data protection regulation, obtained by EURACTIV.
Earlier this year, Prime Minister Boris Johnson said that the UK would seek to diverge from EU data protection law following its withdrawal from the bloc.
Analysing the effectiveness of adequacy decisions contracted with third-countries to guarantee the security of EU personal data when transferred abroad, in the review the executive notes that an adequacy agreement with the UK is an “essential prerequisite” for cooperation in law enforcement and security.
“A high degree of convergence in data protection is an important element for ensuring a level playing field between two so closely integrated economies,” the review reads.
The Commission also confirms that it has begun work on an adequacy assessment of the UK’s data protection standards, to decipher whether the UK’s data protection regime is robust enough to align with EU standards.
The steps to adopt an adequacy agreement involve this period of assessment by the Commission, followed by a draft decision from the executive, an opinion by the European Data Protection Board and then final approval by member states and the College of Commissioners.
The UK has a controversial track record in mass surveillance programs, evidenced in a European Court of Human Rights ruling in 2018, which found that the UK had breached human rights protections in its mass surveillance program, afforded legitimacy by the Investigatory Powers Act (RIPA).
More recently, European parliamentarians took a stand against the UK’s data regime, adopting a report that said the EU’s move to grant the UK access to the bloc’s fingerprint data for law enforcement purposes “would create serious risks for the protection of fundamental rights and freedoms of individuals”.
In February Johnson said that as the UK nears the end of the post-Brexit transition period, it will “develop separate and independent policies” in a range of fields, including data protection, adding that the government would seek to maintain high standards.
GDPR review & resources
The GDPR gives powers to privacy authorities across the EU to enforce fines of up to 4% of global revenue or €20 million, whichever is higher. The largest fine to date has been the French data protection authority’s €50 million penalty against Google in 2019 for a lack of transparency.
More broadly, as part of the GDPR review to be published on Wednesday, the Commission reiterated the importance of EU data protection authorities being adequately resourced to deal with vast quantities of data protection complaints.
“Given that the largest big tech multinationals are established in Ireland and Luxembourg, the data protection authorities of these countries act as lead authorities in many important cross- border cases and may need larger resources than their population would otherwise suggest,” the document states, adding, however, that there are disparities in the resources allocated to data protection authorities at the national level.
In this context, a report published in May by the advocacy group Access Now found that “companies could leverage DPAs’ lack of resources, using it to get around the application of the GDPR, or at least significantly delay its effect.”
However, despite the Commission noting the importance of authorities in Ireland and Luxembourg possibly requiring ‘larger resources,’ data shows that both countries have seen a significant increase in their staff numbers between 2016 and 2019.
Ireland saw the largest upturn of EU member states, with a 169% increase in staff during this period, with Luxembourg on 126%.
But the disparities between member states are laid bare when reviewing the situation in less well resources countries across the bloc, where in Greece and Bulgaria there has been a 15% and 14% decrease in staff members respectively.
Lack of harmonisation
Moreover, further fragmentation is exposed in the way GDPR has been implemented across the EU, and the Commission also warned that infringement procedures could be taken should member states fail to comply with the rules.
A lack of harmonisation is seen with regards to the age by which children can give their consent for personal data to be processed. The Commission could seek amendments to the GDPR in order to clarify the rules, it says.
“A company providing information society services to minors across the EU has to distinguish between the ages of potential users, depending in which Member State they reside,” the Commission notes, highlighting that nine member states apply an age limit of 16 years, while eight nations opted for 13 years, six for 14 years and three for 15 years.
“This is contrary to the key objective of the GDPR to provide for an equal level of protection to individuals and of business opportunities in all Member States.”
Additional amendments could be made in light of the fact that ‘the application of the GDPR is challenging especially for small and medium-sized enterprises,” which could allow for flexibility to be implemented “regarding records of processing by SMEs that do not have the processing of personal data as their core business.”
Despite this however, the executive notes that it would prefer an approach whereby national data protection authorities provide “practical tools” to support Europe’s SMEs in abiding with the GDPR.
[Edited by Benjamin Fox]