The European Commission is “not naive” about the UK’s future ambitions in the data space and will be prepared to suspend transfers of personal data to the country should the UK in the future diverge from EU standards, Justice Commissioner Didier Reynders has said.
In February, the Commission issued draft adequacy approval on transfers of personal data between the EU and the UK, following the latter’s decision to withdraw from the European Union.
The decision is being examined by the European Data Protection Board (EDPB) and will also need to be fully signed off by the 27 member states. In the meantime, a ‘bridging’ mechanism has been put in place, lasting up to six months, which allows for transfers to temporarily continue.
The EDPB is due to come forth with its response to the Commission’s text around mid-April time, Reynders disclosed to members of Parliament’s Civil Liberties Committee on Wednesday (16 March).
However, EU lawmakers in Brussels doubt that the UK’s future data protection landscape will be fully aligned with EU data protection standards, following recent comments from the UK’s Digital Secretary Oliver Dowden.
Reuters quoted Dowden as saying last week the UK would not seek to undercut EU data protection standards but would look for ‘opportunities’ to foster growth in the field.
“There is a sweet spot for the UK whereby we hold onto many of the strengths of GDPR in terms of giving people security about their data,” Dowden said. “But there are obviously areas where I think we can make more progress.”
MEPs not happy
The UK’s approach in this regard has provoked the concern of some in Brussels, not least members of the European Parliament, who aired their worry Justice Commissioner Reynders this week.
Estonian S&D MEP Marina Kaljurand cited concerns over the UK’s compliance with the GDPR, as well as the UK-US bilateral e-evidence agreement and the country’s track record in mass data collection and retention, which the European Court of Human rights ruled in 2018 was a breach of the European Convention on Human Rights.
The first point, in particular, was also raised by Renew’s Sophie in ‘t Veld, who said the UK Data Protection Act’s ‘immigration control exemption’ has always been in breach of the protections outlined in the GDPR.
For his part, Reynders defended the Commission’s decision to issue draft adequacy to the UK, noting that the country continues to adhere to the Council of Europe’s convention 108, which protects privacy rights, and that the fact that the UK has transposed GDPR into national law marks a positive precedent for data adequacy.
However, he did concur that a challenge in establishing adequacy to the UK would be in making any decision ‘futureproof’, bearing in mind the UK’s wishes to diverge somewhat.
“This is why we will monitor very closely and continuously the UK international transfer policy and practice. If problematic divergences take place, that will trigger the suspension or withdrawal clause of our adequacy decision,” Reynders told MEPs in Parliament’s Civil liberties committee on Wednesday.
“In other words, our assessment is an objective and legal one. At the same time, we are not naive and need to be prepared to react in case of problematic divergence.”
Moreover, Reynders said the inclusion of a so-called ‘sunset clause’ in the draft agreement means that every four years the Commission will have the opportunity to review the UK’s data protection landscape and make revisions to the accord as necessary.
“We have chosen an expiration period of four years because it will take some time until the UK approach to Data Protection will be fully developed. We can only decide whether the adequacy decisions should be renewed once we know in which direction the UK is moving,” he added.
[Edited by Zoran Radosavljevic]