The European Parliament adopted by 344 votes to 311, with 28 abstentions, a resolution on the adequate protection of personal data by the United Kingdom.
The UK has always been an important trading partner for many EU Member States and a close security ally. Members believe that the EU and the UK should continue this close cooperation despite the UK's withdrawal from the EU.
An adequacy decision concerning the UK under the General Data Protection Regulation (GDPR) is therefore of the utmost importance. Failure to adopt a robust adequacy framework could lead to disruptions in cross-border trade transfers of personal data between the EU and the UK and high compliance costs.
Background
The Trade and Cooperation Agreement with the UK contains a number of safeguards and conditions for exchanging relevant law enforcement personal data. However, negotiations on personal data flows were conducted in parallel with the negotiations on the agreement but could not be finalised before the end of the transition period on 31 December 2020.
A 'bridging clause' was included in the agreement as an interim solution, subject to the UK's commitment not to change its current data protection regime, in order to ensure the continuity of personal data flows between the UK and the EU until an adequacy decision is adopted. The initial four-month period has been extended to the end of June 2021.
Members recalled that the assessment carried out by the Commission before presenting its draft implementing decision was not complete and did not fully comply with the Court of Justice's requirements for an adequacy assessment.
In its opinions on adequacy, the European Data Protection Committee recommended that the Commission further assess specific aspects of UK law and practice relating to bulk collection, overseas disclosure and international agreements in the field of intelligence sharing, the subsequent use of collected information for law enforcement purposes and the independence of judicial commissioners.
Certain aspects of UK legislation or practice have not been taken into account by the Commission, resulting in draft implementing decisions that do not comply with EU law.
Application of the General Data Protection Regulation (GDPR)
As the UK is a signatory to the European Convention on Human Rights (ECHR) and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Parliament expects the UK to ensure the same minimum data protection framework, despite having left the EU.
Parliament expressed its concern about the UK's inadequate or often non-existent implementation of the GDPR while it was still a member of the EU. It raised a number of concerns about the following issues:
- UK data protection legislation provides for a derogation from certain aspects of the fundamental principles and rights of data protection, such as the right of access and the right of any data subject to know with whom his or her data has been shared, where such protection would ‘prejudice effective immigration control’;
- the draft adequacy decisions do not take into account the lack of limitations on the use of the UK's bulk data powers, nor the actual use of UK and US surveillance operations revealed by Edward Snowden;
- the UK's rules on sharing personal data under the Digital Economy Act 2017 and on onward transfers of research data are clearly not 'essentially equivalent' to the rules set out in the GDPR, as interpreted by the Court of Justice;
- the UK-US Cross-Border Data Access Agreement under the US CLOUD Act will facilitate transfers for law enforcement purposes and allow US authorities undue access to the personal data of EU citizens and residents;
- the Investigatory Powers Act 2016 makes interception subject to judicial review and allows individuals to access their data and bring complaints to the UK Investigatory Powers Tribunal. However, the IPA 2016 continues to allow the practice of bulk data retention;
- in January 2021, 400 000 criminal records were reportedly accidentally deleted from the UK police national computer, which does not inspire trust in the UK's efforts to ensure the protection of data used for law enforcement purposes.
Conclusions
Parliament called on the Commission to assure EU businesses that the adequacy decision will provide a sound, sufficient and forward-oriented legal basis for data transfers. The adequacy decision should be deemed acceptable if reviewed by the European Court of Justice and should take into account all the recommendations made in the opinion of the European Data Protection Committee.
Members opposed the two implementing acts adopted by the Commission as the draft implementing decisions do not comply with EU law. The Commission is asked to amend the two draft implementing decisions to bring them fully into line with EU law and case law.
The Commission and the competent authorities of the United Kingdom are invited to put in place an action plan to remedy the shortcomings identified in the opinions of the European Data Protection Committee as soon as possible. The Commission is invited to inform and consult the Parliament on any future changes to the UK data protection regime and to provide for a scrutiny role for the Parliament in the new institutional framework.