The European Commission has said that it “cannot predict” whether the UK will be fit for a data transfer adequacy agreement with the EU as part of ongoing negotiations on a future trade deal between the two parties.
Speaking to reporters on the presentation of the Commission’s first review on the assessment of the EU’s General Data Protection Regulation on Wednesday (24 June), Vice-President for Values and Transparency Věra Jourová cast doubt on whether the UK will be fit for a data adequacy agreement with the EU anytime soon.
“I cannot predict now whether it will be so easy and without any further negotiations needed for the possible adequacy decision because we do not know whether or not the UK will introduce some changes in their national legislation which might deviate from the general line of the general data protection regulation,” Jourová said.
The UK transposed the EU’s GDPR into national law with the 2018 Data Protection Act, but Prime Minister Boris Johnson earlier this year said that the UK would diverge from the EU framework, which gives powers to privacy authorities across the EU to enforce fines of up to 4% of global revenue or €20 million for data protection breaches.
“If the systems are equal or essentially equivalent, of course, the adequacy decision can be taken, but for the UK it is too early to say because there will be a number of talks about this issue,” Jourová added.
In February, Dutch MEP Sophie in ‘t Veld raised the issue in a European Parliament plenary session, with Brexit negotiator Michel Barnier in attendance.
“I am quite worried to see the eagerness of the European Commission to issue a so-called adequacy decision when it is far from clear that the UK government can be trusted with our data,” she said.
UK-US data concerns
Renew Europe’s in ‘t Veld and others in Brussels have also raised concerns with regards to the UK’s adequacy for an EU data-sharing agreement due to arrangments that the country has made with the United States, since taking the decision to withdraw from the EU. There is no singular data protection legislation in the US, although at the start of this year the California Consumer Privacy Act, influenced by the GDPR, came into law.
In October 2019, the US and the UK signed a data transfer agreement on ‘Access to Electronic Data for the Purpose of Countering Serious Crime,’ which caught the attention of a number of MEPs who were concerned that as part of a future adequacy agreement between the EU and the UK, the data belonging to EU citizens could be siphoned off to the US.
On this subject, in ‘t Veld and Renew MEP Moritz Koerner asked the European Data Protection Board for advice.
EDPB Chair Andrea Jelinek responded that “the agreement concluded between the UK and the US will have to be taken into account by the European Commission in its overall assessment of the level of protection of personal data in the UK, in particular as regards the requirement to ensure continuity of protection in case of ‘onward transfers’ from the UK to another third country.”
For its part, the Commission has not responded to questions from EURACTIV on how much they plan to take into account the issue of ‘onward transfers’ in its adequacy assessment of data protection in the UK.
UK track record in data protection
More broadly, a number of EU member states such as France and the Netherlands have called for the UK to be cut out from access to certain EU databases, including the Schengen Information System (SIS II), a sizable database used for the sharing of data on criminal suspects.
The UK has previously been accused of ‘serious deficiencies’ with regards to its use of the database after it transpired that the country allegedly made illegally copying masses of information from the database.
Earlier this year, the Council of the EU called upon the UK to cease the unlawful copying of SIS data into the Warning Index, a database used by the UK Border Force at first- and second-line border checks.
More recently, European parliamentarians took a stand against the UK’s data regime, adopting a report that said the EU’s move to grant the UK access to the bloc’s fingerprint data for law enforcement purposes “would create serious risks for the protection of fundamental rights and freedoms of individuals”.
Edited by Sam Morgan