In February 2021, the European Commission held proceedings towards the adaption of an adequacy decision for transfers of personal data to the United Kingdom and published a first draft, on which the European Data Protection Board (EDPB) promulgated two opinions on 16 April 2021. The EDPB welcomes the draft in principle but requires some improvements.
Update 28 June 2021: Today it was announced that the EU Commission adopted the adequacy decision despite criticism from the EDPB and the European Parliament. Read more in our guide on the adequacy decision.
Transfer in other third countries
In its opinion, the EDPB emphasises that the Commission must specifically check international agreements between the United Kingdom (UK) and other third countries – for example, the UK-US CLOUD Act Agreement, which regulates access of law enforcement agencies to electronic data. The EDPB demands the European Commission to monitor such third country agreements alongside the agreement between the EU and the United Kingdom in order to take appropriate measures in maintaining the protection level of the EU-GDPR (European General Data Protection Regulation).
The barriers to third country transfers, for example to the US, should not be circumvented through the transfer of data to the United Kingdom on the basis of the EU adequacy decision.
Establishment of the Investigatory Powers Tribunal
In addition, the EDPB welcomes the establishment of an additional court, the Investigatory Powers Tribunal (IPT). The IPT will be competent to hear cases on the use of data by law enforcement authorities as well as by intelligence services. The implementation of Judicial Commissioners is also planned, whose function was particularly valued by the EDPB as an officer for various monitoring measures, such as the bulk acquisition of communications data. However, it remains to be seen how, and through which authority, effective oversight can be subsequently ensured, along with legal remedies for individual data subjects. The EDPB expressly requests the Commission to provide further evaluation and proof on this topic.
Sunset clause and monitoring the legal situation
The EDPB puts special emphasis on requiring the continuous monitoring and evaluation of the legal situation in the United Kingdom. The EU-GDPR is already largely incorporated into British national law as UK-GDPR (UK General Data Protection Regulation). However, future national changes are possible and have already been announced. For this reason, the EDPB welcomes the sunset clause, which stipulates a four-year limitation for the adequacy decision. The adequacy of data protection can be thereby continuously observed and newly evaluated without the need for court decisions.
Companies can hope for an adequacy decision
In both opinions, the EDPB stressed that it is not to be expected that the European data protection law will be adopted on a one-to-one basis. Rather, it is of more importance that the level of data protection required of the EU-GDPR is not undermined.
However, according to the EDPB some regulations are not yet sufficiently regulated and are in the need of improvement. In particular, the agreements between the United Kingdom and other third countries as well as the extensive accessibility of secret services are still to be examined and, as far as possible, to be secured with appropriate measures.
It is still possible to transfer data to the United Kingdom during the transition phase to the end of April or June 2021. Subsequently, it seems to be likely that data transfers based on an adequacy decision can occur without the need for further safeguards. According to the Commission, pending approval of EU member states is to be expected.
Nevertheless, we advise companies that transfer personal data to the UK to be aware of these data transfers and to contact service providers used in the United Kingdom in order to be able to implement additional measures and safeguards, if required.
