The European Commission (EC) has indicated its willingness to offer a data adequacy agreement for the UK, subject to formal approval by EU member states.
The commission has published two draft data adequacy decisions, one under the General Data Protection Regulation (GDPR) and another under the Law Enforcement Directive (LED), to allow for the ongoing transfer of personal data to the UK. , starting the process of its formal adoption
The purpose of data adequacy decisions is to determine whether a country, or sector within a country, outside the European Union (EU) has data protection standards essentially equivalent to the block, and therefore whether the data is they can share with him.
The UK has already determined, under its own rules, that the EU offers an adequate level of data protection, and draft decisions now seek to assess whether data can still flow in the other direction from the EU to the UK after the Brexit.
According to the decisions, the EC considers that UK data protection laws “guarantee a level of protection for personal data … which is essentially equivalent” in both the GDPR and the LED, and that the “monitoring and remedial pathways ”are strong enough. Allow interested parties to exercise their rights and sanction infractions.
Both draft decisions will now be examined by the European Data Protection Board (EDPB) but, because the board itself has no power to block decisions, they will also need the approval of EU member states before they can. be fully adopted by the EC.
Currently, data can flow from the EU to the UK under the Trade and Cooperation Agreement signed on December 24, 2020, which provides a six-month transition period to allow for the continuous flow of data while fully evaluating the data. adequacy decisions.
“A secure flow of data between the EU and the UK is essential to maintain close business ties and cooperate effectively in the fight against crime. Today we begin the process to achieve it. We have thoroughly checked the privacy system in place in the UK after it left the EU, ”said Justice Commissioner Didier Reynders.
“Now the European data protection authorities will thoroughly examine the draft texts. The fundamental right of EU citizens to data protection should never be compromised when personal data travels through the Channel. The adequacy decisions, once adopted, would guarantee precisely that ”.
If member states agree that the UK is DEL suitable, it will be the first time such an adequacy decision has been made under the directive, and the majority of law enforcement data transfers since The EU are currently governed by international agreements that do not take into account the essential equivalence standard that now exists.
Twelve adequacy decisions have been made under the GDPR since it came into effect in May 2018, being Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. . recognized as appropriate jurisdictions by the EC.
In July 2020, the EU Court of Justice (CJEU) annulled the EU-US Privacy Shield data sharing agreement. For failing to ensure that European citizens had adequate redress rights when the US National Security Agency may collect data (NSA) and other US intelligence services.
The ruling, known colloquially as Schrems II in honor of the Austrian lawyer who brought the case to the CJEU, determined that individuals should receive “essentially equivalent protection” for their data when it is transferred to the US and other countries to which they would receive in the EU under the GDPR and the European Charter of Fundamental Rights, which guarantees people the right to private communications and the protection of their private data. The state of adequacy of the EU-US data. It has not yet been fully resolved.
Although both UK adequacy decisions aim to achieve the same essential equivalence standard, the rules for the protection of personal data differ between the GDPR and the LED, with the latter establishing sector-specific rules to govern how they can be processed. personal data and transferred by criminal justice organizations for law enforcement purposes.
Therefore, the formal adoption of one adequacy decision does not imply the automatic adoption of the other, since both must be evaluated separately on their own merits.
UK government and tech industry react to GDPR adequacy
Digital Secretary of State Oliver Dowden welcomed the release of the draft decisions, which he claimed reflect the UK’s commitment to high standards of data protection.
“Although the EU’s progress in this area has been slower than we would have liked, I am pleased that we have reached this important milestone after months of constructive discussions in which we have established our strong data protection framework,” he said.
“I now urge the EU to fulfill its commitment to complete the technical approval process promptly, so that companies and organizations on both sides can reap the clear benefits.”
The draft decisions have also been received positively by industry bodies representing a range of companies in the UK tech sector.
“Today’s decision is very well received by the technology industry, which has made clear the importance of a mutual agreement on data adequacy since the day after the referendum,” said Julian David, CEO of TechUK.
“Receiving data adequacy, together with the EU-UK Trade and Cooperation Agreement, will establish a solid foundation for digital trade with the EU, including strong non-discrimination clauses and positive data flow provisions, which will give companies have the confidence to invest ”.
Stephen Kelly, President of Tech Nation, added that international data transfer was critical to UK technology, particularly for sectors such as fintech, where rapid growth has been based on unlocking the value of data.
“The data economy accounts for around 4% of national GDP and is projected to be worth $ 130 billion by 2025, making the UK a global hub for data flows. The positive adaptation decision between the UK and the EU, therefore, brings great news to the technology sector, after months of waiting and contingency planning in the transition period, ”he said.
“It supports the continued growth of technology extensions and the UK’s position as a world leader in data-driven technologies. As we look forward to rebuilding better, the international flow of data will be vital in driving the next wave of business innovation and driving transformation in our society. “
Possible problems ensuring LED suitability
In early February 2021, the EDPB published its first guidance on LED, writing that “adequacy decisions should focus on assessing the existing legislation of the third country in question as a whole, in theory and in practice, to the light of the evaluation criteria established in the LED “.
He added: “Any meaningful analysis of adequate protection must [therefore] They comprise two basic elements: the content of the applicable regulations and the means to ensure their effective implementation in practice ”.
While the EDPB was writing in the context of the adequacy of the LED, the process of analyzing UK data protection laws both in theory and in practice also applies to the adequacy of the GDPR.
Data protection experts previously warned that while the UK’s DEL commitments are on paper through their transposition into Part Three of the Data Protection Act (DPA 18), which is corroborated by draft EC decision, certain practices within the UK intelligence and criminal services. The justice sector (CJS) could undermine the country’s ability to secure a positive adequacy decision under the directive.
These concerns also extend to the adequacy of the GDPR, but the stricter rules on how data can be transferred for law enforcement purposes mean they are particularly problematic for the adequacy of LEDs.
Specifically, they cited the close relationship between the UK and the US as a problem due to the latter’s lack of adequate data protection standards, as well as the UK’s own intrusive surveillance regime, which has long been enshrined. in the Investigative Powers Act of 2016, also known. like the “Snooping Letter”.
The increasing use of US-based public cloud services by UK police and the CJS in general was also cited as a potentially huge problem for the UK’s ability to obtain the suitability of the LED due to the potential for remote access to that data and its subsequent transfer to a no. -Adequate jurisdiction.
While the draft decisions are large documents over 50 pages that require detailed analysis to fully understand, the first impressions of law enforcement specialists expressed disappointment that the EC document is primarily a legal summary and It does not seem to consider these practical aspects of the real world. .
They also suggested that while this EC adequacy recommendation has been published, it is still too early to assume that it will be approved.
“LED is not a one-size-fits-all regulation like the GDPR,” said Owen Sayers, a UK-based independent privacy consultant with extensive knowledge of LED. “Every EU member state, including the UK when we were EU members, has created their own interpretation of the directive, and the EC recently published a study of the many different implementations in the EU that shows how much they vary from country to country. to another”.
Sayers added: “Each member state will probably want to review the EC recommendation to make sure their findings align with their own legislation. Indeed, the UK needs 27 positive legal reviews of the LED lineup to be successfully approved as adequate, while the GDPR only needs one.
“Even then, it is still unclear how much data the EU member states will be willing to share; an adequacy finding allows data to be shared but does not oblige a member to do so ”.