The inadequacy of the EU Commission’s Draft GDPR Adequacy Decision on the UK

The European Commission published last month its draft decision finding the UK’s data protection regime to be “adequate” in GDPR terms. It would be a serious mistake for the EU Member States (the GDPR Article 93 committee) to approve this decision, allowing personal data to flow freely from the European Economic Area countries to the UK, because:

  • The Draft Decision generally looks at the law on paper (as described, at times misleadingly, by the UK itself) without paying any real attention to the application of the law in practice and without assessing law or practice against the EU legal standards.
  • The UK rules on data sharing, the immigration exemption and the research exemption are clearly not in accordance with the EU standards.
  • Adoption of the decision would lead to serious risks that the UK will become a data protection-evasion haven for personal data from the EU/EEA to countries that are not held to provide adequate protection by the EU; that the UK will allow for undue direct access to data (including data on EU persons) by US authorities under the UK-US Agreement; and that it will allow UK companies to meekly comply with judgments and orders from non-EU Member States, also in respect of EU data, contrary to Article 48 GDPR.
  • The UK ICO continues to fail to properly enforce the law in the vast majority of cases – even when it itself concludes that the law has been broken.
  • The elephant in the room: The Draft Decision completely fails to assess (or even note) the UK’s intelligence agencies’ actual surveillance practices.

You can read an executive summary and full analysis of the decision in these two files, submitted this morning to the EU institutions. Let’s see what the European Parliament and the European Data Protection Board have to say, even if their opinions are only advisory to the Member States.