‘Prepare for all eventualities’ on UK-EU data transfers, EDPS says

A file picture dated 26 January 2016 shows a British Union flag flutters next to European Union (EU) flags ahead avisits of then British Prime Minister Cameron at the European Commission in Brussels, Belgium. [EPA/LAURENT DUBRULE]

There could be a series of ‘obstacles’ in terms of securing an EU-UK adequacy agreement on post-Brexit data transfers and the bloc should therefore “take steps to prepare for all eventualities,” the European Data Protection Supervisor (EDPS) has said this week.

Delivering an opinion on the opening of negotiations on a future trade deal between the UK and the EU, the EDPS chief Wojciech Wiewiórowski said that due to the UK’s recently publicised stance on diverging from EU data protection standards, the bloc should ensure that it is ready to contend with the possibility that an adequacy agreement before the end of 2020 may not be possible.

“Given the specific situation of the UK, any substantial deviation from the EU data protection acquis that would result in lowering the level of protection would constitute an important obstacle to the adequacy findings,” Wiewiórowski said in a paper published on Tuesday (25 February).

“The EDPS also recommends that the Union take steps to prepare for all eventualities, including where the adequacy decision(s) could not be adopted within the transition period, where no adequacy decision would be adopted at all, or where it would be adopted only in relation to some areas,” the paper read.

Adequacy agreement

The EU’s flagship personal data protection regime, the GDPR, sets down baseline requirements for data protection standards, and addresses minimum privacy standards for transferring EU data outside of the bloc. With countries outside the EU, the bloc often signs adequacy agreements as a means of safeguarding personal data.

The European Commission has previously stated that the assessment for an adequacy agreement between the UK and the EU should have begun on 1 February.

The steps to adopt an adequacy agreement, allowing for data transfers between the EU and the UK, involve a period of assessment by the Commission, followed by a draft decision from the EU’s executive arm, an opinion by the European Data Protection Board and then a final approval by member states and the College of Commissioners.

Parliament concerns

However, a resolution adopted by the European Parliament on 12 February highlighted a number of concerns with the UK’s current data protection set up and poured cold water on the possibility of an adequacy agreement on data transfers being agreed upon, though the UK has transposed GDPR into national legislation via the 2018 Data Protection Act.

The resolution states that any potential accord “must demonstrate that the UK provides a level of protection ‘essentially equivalent’ to that offered by EU legal framework,” and that under the current regime, there are outstanding concerns with the UK’s forwarding of personal data onto third countries, the processing of personal data for immigration purposes, and the retention of electronic telecommunications data.

The UK legal framework for data protection “does not currently meet the conditions for adequacy,” the resolution finds.

A European Commission spokesperson recently informed EURACTIV that the Commission would “endeavour” to adopt a decision by the end of 2020, “if applicable conditions are met,” adding that internal preparations are ongoing. The Commission was unable to confirm whether the assessment procedure had begun yet.

Moreover, industry players have started to speak out about the potential risks for data transfers between the EU and the UK, should an adequacy agreement be out of reach before the end of 2020.

Thomas Boué, director-general for Europe Policy at BSA, the software trade association, told EURACTIV that “over the next 10 months, it will be critical to build on the existing convergence of rules, including on privacy and trade, to enshrine a strong and comprehensive framework for EU-UK data transfers.”

UK data protection framework

In a written statement to the House of Commons published at the start of February, Prime Minister Boris Johnson said the United Kingdom will “develop separate and independent policies” in a range of fields, including data protection, adding that the government would seek to maintain high standards in so doing.

This followed an earlier statement by the then Digital Secretary Nicky Morgan that hinted at the direction the country would take as part of its post-Brexit National Data Strategy, saying she would seek to “fully and responsibly unlock the power of data, for people and organisations across the UK.”

Elsewhere, the private sector has already started taking advantage of the UK diverging from the EU’s personal data regime. Google recently confirmed plans to relocate UK users’ data from Ireland, where it comes under the jurisdiction of the EU, to the US.

The move was made due to concerns over whether the UK would continue to abide by GDPR or not. After Johnson’s recent remarks, it is believed that amendments are likely to be made to the UK’s Data Protection Act.

US privacy protections are considered to be some of the weakest globally, and the shift from Ireland to the US may permit British law enforcement agencies easier access to data belonging to UK citizens held by American companies, as part of provisions set out in the US Cloud Act.

The UK and US are likely to discuss such access as part of a possible free trade deal between the two parties, to be negotiated presently.

[Edited by Zoran Radosavljevic]

Subscribe to our newsletters