In encouraging news for UK-based organizations involved in the processing of personal data, the European Data Protection Board (EDPB) has adopted two Opinions on the draft UK adequacy decisions which, if approved, would allow the transfer of personal data from the European Economic Area (EEA) to the UK to continue freely.
The first Opinion (Opinion 14/2021) relates to the GDPR and considers general data protection issues and also government access to personal data transferred from the EEA for national security and law enforcement purposes set out in the draft adequacy decision. The second Opinion (Opinion 15/2021) relates to the Law Enforcement Directive (LED) and considers various issues.
The EDPB observes that there are significant areas of clear affiliation between the EU and UK regarding a number of key data protection requirements, such as purpose limitation, security and confidentiality, grounds for fair and lawful processing, transparency and data quality and proportionality, among others.
Having said that, the EDPB also notes that various points should be considered further and/or closely monitored by the European Commission in its decision based on the GDPR, including, for instance, the application of restrictions to onward transfers of EEA personal data transferred to the UK on the basis of, for example, future adequacy decisions adopted by the UK.
The EDPB also considers access by public authorities for national security purposes to personal data transferred to the UK. While the EDPB notes that various issues require further clarification and/or monitoring, such as the issue of bulk interceptions and safeguards under UK law regarding overseas disclosure, the EDPB notes with approval the introduction of the Investigatory Powers Tribunal to help tackle issues of redress regarding national security and the establishment of Judicial Commissioners in the Investigatory Powers Act 2016 to help improve oversight.
The EDPB has acknowledged that many areas of UK data protection law are “essentially equivalent” to EU data protection law, although it also notes that laws can be updated and therefore believes that changes in UK data protection law should be kept under review by the European Commission. Although not a completely unequivocal endorsement of the UK’s adequacy decisions by the EDPB, this looks like a step in the right direction for the UK.