The European Commission has issued draft adequacy approval on transfers of personal data between the EU and the UK, noting however that it will ‘monitor’ progress and rescind the decision should the UK diverge from EU data protection rules to a ‘problematic’ degree.
The publication of the draft decision from the Commission is the first step in a process towards full adequacy for EU-UK data transfers. The European Data Protection Board (EDPB) will now be asked to provide their opinion on the plans, and EU member state representatives will also be tasked with giving the green light to the decision.
Only once these procedures have been completed, can the Commission formally adopt the final adequacy decision. After the adequacy decision has eventually been adopted, it will be valid for an initial period of four years.
After four years, it would be possible to renew the adequacy finding if the level of protection in the UK would continue to be adequate, the Commission says.
Following the Commission’s decision on the matter on Friday (19 February), Věra Jourová, vice-president for values and transparency, said in a statement the decision should “stand the test of time” and, should the UK seek to further diverge from EU data protection standards as it has previously said it would do, the Commission could rescind the agreement.
“We included clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development of the UK system after the adequacy would be granted,” the statement from Jourová read.
Moreover, in a briefing with reporters on Friday, a senior EU official said the proposed decision allows the Commission to react in cases of ‘problematic divergence’ from EU data rules, “to terminate or suspend the decision, or to not renew the decision in four years time.”
Last year, in a written statement to the House of Commons, Prime Minister Boris Johnson said the United Kingdom will “develop separate and independent policies” in a range of fields, including data protection, adding that the government would seek to maintain high standards in so doing.
“We will restore full sovereign controls over our borders, immigration, competition, subsidy rules, procurement, data protection,” Johnson also told reporters at the time.
On Friday, the UK government welcomed the move, despite criticizing the time the Commission took to come to its decision.
“Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework,” a statement from Secretary of State for Digital Oliver Dowden read.
“I now urge the EU to fulfil their commitment to complete the technical approval process promptly, so businesses and organisations on both sides can seize the clear benefits.”
The next step in the process is for the Commission to seek a response from the EU’s umbrella data protection authority, the EDPB.
For the EDPB’s part, they also have concerns over the UK’s future data adequacy with regards to the country’s data-sharing arrangements with the US.
In October 2019, the US and the UK signed a data transfer agreement on ‘Access to Electronic Data for the Purpose of Countering Serious Crime’ which caught the attention of a number of European Parliament lawmakers, who were concerned that as part of a future adequacy agreement between the EU and the UK, the data belonging to EU citizens could be siphoned off to the US.
Responding to concerns from Renew MEPs Moritz Koerner and Sophie in ‘t Veld on this point, EDPB Chair Andrea Jelinek said that “the agreement concluded between the UK and the US will have to be taken into account by the European Commission in its overall assessment of the level of protection of personal data in the UK, in particular as regards the requirement to ensure continuity of protection in case of ‘onward transfers’ from the UK to another third country.”
In wider concerns over the scale of the UK’s surveillance powers outlined in its 2016 Investigatory Powers Act, the European Court of Justice ruled last year that EU member states are only permitted to carry out the indiscriminate transmission and retention of communications data when there is a ‘serious threat to national security,’ in line with EU law.
The Court’s conclusions that the UK’s surveillance powers should have been limited to the provisions outlined in the 2002 ePrivacy directive during the time the country was an EU member, will raise more questions about the extent to which the UK’s snooping powers will diverge from EU data protection law as it pursues its own sovereign data strategy.