European Commission responds to Parliament’s resolution on UK adequacy

A Brussels friend shared this response from the European Commission to the Parliament, regarding its resolution on UK adequacy. My comments are interspersed in italics.

Follow up to the European Parliament non-legislative resolution on the adequate protection of personal data by the United Kingdom (UK)

  1. Resolution tabled pursuant to Rule 132(2) of the European Parliament’s Rules of Procedure
  2. Reference numbers: 2021/2594 (RSP) / B9-0272/2021 / P9_TA-PROV(2021)0262
  3. Date of adoption of the resolution: 21 May 2021
  4. Competent Parliamentary Committee: Committee Civil Liberties, Justice and Home Affairs (LIBE)
  5. Brief analysis/ assessment of the resolution and requests made in it:

The resolution focuses on different aspects of the UK regime on the protection of personal data, as assessed in the two draft adequacy decisions on the protection of personal data by the United Kingdom published on 19 February 2021. With respect to the draft adequacy decision pursuant to the General Data Protection Regulation (GDPR), the resolution first makes general observations. It notably considers that the Commission’s assessment is incomplete and inconsistent with the requirements of the Court of Justice and highlights that the European Data Protection Board (EDPB) advised the Commission to further assess specific aspects of the UK law and practice. Second, the resolution voices concerns on the restriction of certain data protection rights for purposes of immigration control (“immigration exemption”) and calls on the Commission to seek either the removal or amendment of this immigration exemption before granting an adequacy finding. Third, in the area of access by UK public authorities to data transferred from the EU, the resolution is critical of the UK system of safeguards and limitations for such access, in particular in the area of national security. Fourth, the resolution expresses concerns that the UK may apply in the future its rules on international transfers of personal data in a way that could undermine the level of protection required under the GDPR in case of onward transfers.

With respect to the draft adequacy decision pursuant to the Law Enforcement Directive (LED), the resolution expresses concerns about the UK’s cross-border data access agreement with the United States (US) under the US CLOUD Act as it would allow undue access to the personal data of EU citizens and residents by US authorities. The resolution notes the draft adequacy decisions’ thorough assessment of interception and retention powers of UK authorities of personal data for national security reasons and calls on the Commission to further assess and monitor these.

In conclusion, the resolution calls on the Commission to assure EU businesses that the adequacy decision will provide a solid, sufficient and future-oriented legal basis for data transfers; to continue to closely monitor the level of data protection in the UK in law and practice, in particular in view of any future changes to the UK data protection regime and the potential renewal of the adequacy decisions after four years; and to amend the two draft implementing decisions with a view to making them fully consistent with EU law and case law and addressing the deficiencies identified in the EDPB opinions. Finally, the resolution considers that the two draft implementing decisions as published on 19 February 2021 are not consistent with EU law, and therefore objects to their adoption and requests that national data protection authorities suspend the transfer of personal data to the UK.

6. Response to the requests in the resolution and overview of the action taken, or intended to be taken, by the Commission:

Regarding paragraphs 9, 10, and 11: in the decision on the adequate protection of personal data by the United Kingdom adopted on 28 June 2021 pursuant to the GDPR, the Commission excluded from the scope of the decision all transfers of personal data from the EU to the UK that take place for UK immigration control purposes or are otherwise subject to the “immigration exemption”. This carve-out also followed a recent decision of the England and Wales Court of Appeal of 26 May 2021 finding the “immigration exemption” to be incompatible, in its current form, with data protection requirements. The Court of Appeal’s ruling reversed a previous judgment that had concluded that such exemption was in line EU law.

DK Comment: The categories of data that are subject to the first part of this exemption, “personal data [that are transferred] from the EU to the UK … for UK immigration control purposes”, is perhaps reasonably determinable, although it would be useful to provide some examples. However, the categories of data that are subject to the second part of the exemption, “personal data [that are transferred] from the EU to the UK that … are otherwise subject to the ‘immigration exemption’”, is well-nigh impossible to determine, since in principle any personal data that are transferred from the EU to the UK may at some stage be used for “immigration purposes” and then be subject to the exemption. For instance, data sent from a Dutch (private or state) pension provider to a UK state authority in relation to checks on benefit eligibility, or data sent from a French hospital to a UK health service provider, or data on some previous employment in the EU sent to a prospective UK state employer, etc., etc.. How is the carve-out supposed to work in relation to such data? Does the possibility of the data becoming subject to the exemption at some future date mean that the data should not be sent? Or should the EU data exporter stipulate in some (quasi?)-contractual document that the data should not be used or disclosed by the UK recipient for immigration purposes? The latter would not work because (as the CJEU has of course stressed in Schrems II) such (quasi-)contractual stipulations cannot override the law of the third country (here: the UK).

With respect to paragraphs 3, 7, 20, 23, 34, 39 and 41: the Commission shares the concerns expressed by the EDPB and the European Parliament on possible future policy developments of the UK data protection system. Nevertheless, when conducting an adequacy assessment, the Commission has to determine whether the third country in question guarantees a level of protection “essentially equivalent” (in law and practice) to that ensured within the European Union (recital 104 of Regulation (EU) 2016/679) and which is assessed against Union law, notably the GDPR, as interpreted by the Court of Justice. In its adequacy decisions with regards the United Kingdom, the Commission therefore assessed the UK law and practice as it stood up to the time of their adoption on 28 June 2021. By their nature, any white papers, recommendations, reports, announcements, statements or other on possible future policy developments – while being informative and followed closely as part of the Commission’s ongoing monitoring – do not have any impact on the legislative framework in place today in the United Kingdom.

DK Comment: It is an odd position to take, for the Commission to effectively ignore expressly stated intentions of the UK to diverge from EU law – and of course, this intention has been even more strongly stated since. It stands in stark contrast to the Commission adequacy decision on Israel of 2011, in which case the Commission declared that country to provide adequate protection in large part on the basis that it could be expected that where Israeli privacy law clearly was not the same – in fact, was quite different from – the then applicable EU law (the 1995 Data Protection Directive), those deficiencies would be mended soon after the EU decision was issued.

While recognising the current alignment of the UK data protection rules with EU legislation, the Commission’s UK adequacy decisions at the same time contain significant innovations and safeguards to address the risk of potential problematic future divergence. In particular, the duration of the adequacy findings is strictly limited in time through the introduction of a sunset clause which provides that the decisions will automatically expire four years after their entry into force. Any possible renewal of the decisions will not be automatic and will depend on whether the United Kingdom maintains a level of protection essentially equivalent to the one guaranteed in the EU. This time-limitation clearly signals to the United Kingdom that possible problematic divergences will have consequences. In addition, the decisions provide for suspension and termination mechanisms that would allow the Commission to react immediately at any time, without waiting for the four years-period to expire, if changes in UK law or practice would undermine the level of protection. In the last version of the decisions as adopted by the Commission, these mechanisms have been further strengthened, in particular by providing for a specific and strict timeframe – in principle, no longer than three months – for the UK authorities to take measures and remedy any deviation that would have an impact on the level of protection assessed in the adequacy decisions. The expiration of this period without any satisfactory action from the UK would trigger the procedure to suspend or repeal the decisions. In case of urgency, such measures can be taken immediately by the Commission.

DK Comment: There have been similar statements on the Commission keeping third countries’ data protection laws under “continuous review” in other adequacy decisions. In practice, the Commission has never revoked any once issued, and has dragged its heals over the reviews of the pre-GDPR adequacy decisions that should have been concluded a year ago. Unless the UK takes some steps that would be blatantly contrary to the EU decisions, it is extremely unlikely that the Commission would act even on very significant divergence. An exception could be if the UK were to declare that the USA provided “adequate” protection in terms of its “UK GDPR” – the Commission would have to act in that case to avoid the UK becoming blatantly a personal data laundering haven (but note that the UK has already declared Gibraltar to provide “adequate” protection under the “UK GDPR” even though Gibraltar is not “adequate” in terms of the EU GDPR – thus actually already creating a data laundering route – without the Commission taking any note of that).

Regarding paragraphs 4, 5 and the concluding paragraphs 33 to 41: the Commission underlines that its adequacy assessments, as adopted on 28 June 2021, are based on an in-depth assessment of the current UK data protection system against the relevant EU requirements. These adequacy findings acknowledge that, at this point in time, the UK standards offer an essentially equivalent level of protection to the EU standards set out in the GDPR and the Law Enforcement Directive (LED), as interpreted by the EU Court of Justice.

DK Comment: Quite unbelievably, the Commission completely ignores the UK mass surveillance activities, carried out hand in glove with the USA – which are clearly incompatible with the “relevant EU requirements”, as set out in the Schrems II judgment in particular.

Since the publication of the two draft implementing decisions on the adequate protection of personal data by the UK in February, the Commission has listened very carefully to and discussed the draft decisions with the Parliament, both in the LIBE Committee and in Plenary, with the Member States under the comitology procedure and with the European Data Protection Board. Furthermore, due account has been taken of the most recent developments in the UK to the extent they affect the legal framework assessed in the two decisions, and of relevant case law up to the moment of adoption of the decisions.

Consequently, before their final adoption, the draft decisions have been amended on a number of important points to clarify and reinforce several of the elements on which the findings are based under the GDPR and the Law Enforcement Directive. These include aspects of specific concern to the European Parliament and the EDPB. As with any adequacy findings, the Commission will provide regular updates to the European Parliament. The Commission will also continue to work closely with the EDPB on the monitoring of the functioning of the UK adequacy decisions.