The UK’s intelligence activities and GDPR (in)adequacy

Douwe Korff and I have now completed the second part of our analysis of the UK data protection legal framework, in relation to “national security” activities. We conclude: it is highly doubtful whether the processing of personal data by UK intelligence agencies, especially its bulk collection of communication data, is in line with the EU Charter of Fundamental Rights. In particular, its indiscriminate bulk collection of communications metadata (“related communications data”) from selected “bearers” in the underseas communication cables would appear to be contrary to principles established by the European Court of Human Rights (Big Brother Watch v. the UK) and the CJEU (Tele2/Watson, Digital Rights, Schrems II, Privacy International and La Quadrature du Net), as reflected in the recent EDPB’s “European Essential Guarantees for Surveillance Measures”. In our opinion, the UK can therefore not be granted a positive adequacy decision under Article 45 GDPR.

You can read part two and our executive summary of both parts below, alongside part one.