The European Commission has concerns that certain aspects of the UK’s data protection regime may change in the future and negatively impact the safety of EU personal data when transferred to the country, Commission sources have informed EURACTIV.
The EU executive is conducting an assessment of the UK’s data protection landscape as part of a so-called ‘adequacy-decision,’ in order to determine if EU data can safely be transferred to the UK after Brexit.
During the transition period, the UK continues to abide by the EU’s General Data Protection Regulation, but there are fears in the Commission that this could change after the transition comes to an end on 31 December.
Should the UK decide to chart a path with less stringent data protection controls than that of the EU, personal data belonging to citizens from the bloc could be put at risk when transferred across the English channel.
“While the UK applies EU data protection rules during the transition period, certain aspects of its system may change in the future, such as rules on international transfers,” a Commission source told EURACTIV on Tuesday (22 September).
“These aspects, therefore, raise questions that need to be addressed,” the source added.
The EU executive seeks to adopt a position before the end of 2020, and before doing so, would also require a positive opinion on the UK’s data protection standards from the European Data Protection Board (EDPB), as well as a greenlight from EU Member States.
For the EDPB’s part, they also have concerns over the UK’s future data adequacy with regards to the country’s data sharing arrangements with the US.
In October 2019, the US and the UK signed a data transfer agreement on ‘Access to Electronic Data for the Purpose of Countering Serious Crime’ which caught the attention of a number of European Parliament lawmakers, who were concerned that as part of a future adequacy agreement between the EU and the UK, the data belonging to EU citizens could be siphoned off to the US.
Responding to concerns from Renew MEPs Moritz Koerner and Sophie in ‘t Veld on this point, EDPB Chair Andrea Jelinek said that “the agreement concluded between the UK and the US will have to be taken into account by the European Commission in its overall assessment of the level of protection of personal data in the UK, in particular as regards the requirement to ensure continuity of protection in case of ‘onward transfers’ from the UK to another third country.”
Lack of progress
The comments from the Commission on Tuesday echo an earlier statement from EU Vice-President for Values and Transparency Věra Jourová, who said that she ‘couldn’t predict’ the outcome of a Commission decision on data adequacy for the UK, because “we do not know whether or not the UK will introduce some changes in their national legislation which might deviate from the general line of the general data protection regulation.”
UK Prime Minister Boris Johnson said earlier this year that the UK would diverge from the EU framework, which would give powers to privacy authorities across the EU to enforce fines of up to 4% of global revenue or €20 million for data protection breaches.
In the European Parliament on Tuesday, MEPs in the Civil Liberties committee took part in a confidential briefing with Commission representatives on the subject of the UK’s data adequacy assessment.
Two Parliament sources revealed to EURACTIV that the lack of progress on the assessment presented by the Commission was disappointing to MEPs and that the EU executive was unable to give any specific decision for when a decision could be arrived at.
[Edited by Zoran Radosavljevic]