The European Commission should not grant the UK a data adequacy agreement as part of its ongoing assessment of the country’s data protection landscape, an Irish civil rights group has said.
In a letter sent to the EU’s Justice Commissioner Reynders, Internal Market Chief Thierry Breton, and Vice-President for Digital Margrethe Vestager on Monday (12 October), the Irish Council for Civil Liberties has hit out at the track record of the UK’s data protection authority as the prime reason why the country cannot be trusted with EU personal data.
“An adequacy decision is impossible because the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), does not meet the test of an “effectively functioning” supervisory authority,” said the letter, signed by Senior Fellow of the ICCL Johnny Ryan.
The EU executive is conducting an assessment of the UK’s data protection landscape as part of a so-called ‘adequacy-decision,’ in order to determine if EU data can safely be transferred to the UK after Brexit.
Under the EU’s General Data Protection Regulation, data protection authorities are required to demonstrate that they are capable of overseeing formalities required to oversee the correct application of the bloc’s data protection rules in their home country.
But the ICO’s track record, Ryan writes, does not bode well in terms of the authority’s compliance with the GDPR in this respect, after in transpired earlier this year that the organisation had paused a probe into real-time bidding (RTB) activities online.
Real-time bidding refers to how the online ad-industry micro-targets internet users in real-time, operating under the radar without being made clear to users. RTB infringements of the GDPR were reported to the ICO in January 2018.
Referring to data breaches that have taken place as a part of this practice, the ICCL said that the UK’s ICO cannot be trusted to carry out data protection formalities effectively subsequent to the end of the transition period on 31 December.
“The ICO has failed over the last two years to take any substantive action against the largest data breach that the UK and EU have ever experienced. It would be unreasonable to anticipate that it will perform any better after Brexit is complete,” the letter stated.
“The UK lacks an effective independent supervisory authority that is capable of enforcing compliance with data protection law and vindicating data subjects’ rights. As a consequence, the personal data of data subjects in the Union do not at present have an adequate level of protection in the UK.”
During the transition period, the UK continues to abide by the EU’s General Data Protection Regulation, but there are fears in the Commission that this could change after the transition comes to an end on 31 December.
Such fears, EURACTIV understands, are likely to feed into the Commission’s assessment of the UK.
“While the UK applies EU data protection rules during the transition period, certain aspects of its system may change in the future, such as rules on international transfers,” a Commission source told EURACTIV recently.
“These aspects, therefore, raise questions that need to be addressed,” the source added.
The EU executive seeks to adopt a position before the end of 2020, and before doing so, would also require a positive opinion on the UK’s data protection standards from the European Data Protection Board (EDPB), as well as a green light from EU member states.
The recent comments from the Commission echo an earlier statement from EU Vice-President for Values and Transparency Věra Jourová, who said that she ‘couldn’t predict’ the outcome of a Commission decision on data adequacy for the UK, because “we do not know whether or not the UK will introduce some changes in their national legislation which might deviate from the general line of the general data protection regulation.”
EU fears have been stoked in this respect after UK Prime Minister Boris Johnson said earlier this year that the UK would diverge from the EU framework, which would give powers to privacy authorities across the EU to enforce fines of up to 4% of global revenue or €20 million for data protection breaches.
The UK government is also seeking to pursue more of a pro-innovation approach in its new ‘data strategy,’ which could also be to the detriment of stringent EU data protection rules.