Motion for a resolution - B9-0268/2021Motion for a resolution
B9-0268/2021
European Parliament

MOTION FOR A RESOLUTION on the adequate protection of personal data by the United Kingdom

12.5.2021 - (2021/2594(RSP))

to wind up the debate on the statements by the Council and the Commission
pursuant to Rule 132(2) of the Rules of Procedure

Tom Vandenkendelaere, Jeroen Lenaers
on behalf of the PPE Group
Assita Kanko, Nicola Procaccini
on behalf of the ECR Group

Procedure : 2021/2594(RSP)
Document stages in plenary
Document selected :  
B9-0268/2021
Texts tabled :
B9-0268/2021
Debates :
Votes :
Texts adopted :

B9‑0268/2021

European Parliament resolution on the adequate protection of personal data by the United Kingdom

(2021/2594(RSP))

The European Parliament,

 having regard to the Charter of Fundamental Rights of the European Union, in particular Articles 6, 7, 8, 16, 47 and 52 thereof,

 having regard to the Trade and Cooperation Agreement of 31 December 2020 between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part[1],

 having regard to its resolution of 28 April 2021 on the outcome of EU-UK negotiations[2],

 having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)[3], in particular Article 45(3) thereof,

 having regard to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (Law Enforcement Directive for Data Protection – ‘LED’)[4], in particular Article 36(3) thereof,

 having regard to the European Convention on Human Rights (ECHR) and to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe, as well as to its amending protocol (‘Convention 108+’), to which the UK is a party,

 having regard to Opinion 14/2021 of the European Data Protection Board (EDPB) of 13 April 2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the United Kingdom,

 having regard to Opinion 15/2021 of the EDPB of 13 April 2021 regarding the European Commission Draft Implementing Decision pursuant to Directive (EU) 2016/680 on the adequate protection of personal data in the United Kingdom,

 having regard to Rule 132(2) of its Rules of Procedure,

A. whereas the ability to transfer personal data across borders is a key driver of innovation, productivity and economic competitiveness, and facilitates interpersonal contact and cultural relations; whereas it is, furthermore, of crucial importance for effective cooperation in the fight against cross-border organised and serious crime, as well as in the fight against terrorism, which increasingly depends on the exchange of personal data;

B. whereas European businesses need legal clarity and legal certainty, as the ability to transfer personal data across borders has become increasingly important for all types of companies that deliver goods and services internationally; whereas failing to adopt a robust adequacy framework under the GDPR would risk disruptions in cross-border transfers of personal data, as well as entail high compliance costs for European businesses conducting trade across the Channel;

C. whereas the United Kingdom was a Member State of the EU until 31 January 2020 and continued to be bound by EU legislation, including the Union data protection acquis, as well as Union legal oversight and enforcement mechanisms, during the transition period which ended on 31 December 2020;

D. whereas the UK has incorporated the provisions of the GDPR into its national law and has moreover provided that all ‘EU-derived domestic legislation’, including the legislation transposing the LED, will continue to apply after the end of the transition period; whereas the national law of the UK consequently provides for safeguards, individual rights, obligations for controllers and processors, rules on international transfers, supervision systems and redress avenues similar to those available under EU law;

E. whereas the negotiations on personal data flows were conducted in parallel to the negotiations on the Trade and Cooperation Agreement (TCA) but were not finalised by the end of the transition period; whereas a ‘bridging clause’ was included in the TCA as an interim solution, conditional upon the commitment by the UK not to change its current data protection regime, in order to ensure the continuation of data flows between the UK and the EU until the adoption of an adequacy decision; whereas the initial four-month period has been extended and will expire at the end of June 2021;

F. whereas on 19 February 2021 the Commission launched the procedure for the adoption of two adequacy decisions for transfers of personal data to the UK under the GDPR and the LED following a thorough assessment of the UK’s law and practice on personal data protection, including the rules on access to data by public authorities; whereas the Commission has concluded that the UK ensures an essentially equivalent level of protection to the one guaranteed under the GDPR and the LED;

G. whereas the 2020 UK National Data Strategy could represent a shift from the protection of personal data towards wider use and sharing of data but aims to maintain high data protection standards; whereas the adequacy decisions include a sunset clause, meaning that in four years’ time the decisions will be automatically repealed unless they are renewed following a reassessment by the Commission;

H. whereas the Commission currently recognises Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection under the GDPR; whereas on 30 March 2021, adequacy talks were concluded with the Republic of Korea and the Commission will now proceed to launch the procedure leading to the adoption of an adequacy decision; whereas the UK would be the first country to which the Commission proposes to grant adequacy under the LED; whereas the TCA includes a number of additional safeguards and conditions for exchanging relevant data in the context of law enforcement;

1. Underlines that cross-border data flows are crucially important for economic development and innovation; points out that this is even more true in the context of a fragile recovery following the COVID-19 pandemic and the focusing of EU and national recovery funds on the digital transition; underlines, furthermore, that the UK is a key partner in the fight against cross-border crime, as well as the fight against terrorism, and that the sharing of information is of critical importance in this area of international cooperation;

2. Notes that the UK has incorporated all provisions of the GDPR into its national law and that the national legislation transposing the Union LED continues to apply; highlights, moreover, that the UK is a signatory to the ECHR and Convention 108+; expects the UK to fully comply with its obligations under these international Treaties;

3. Recalls the assessment of the EDPB, which recognises that the UK has mirrored, for the most part, the GDPR in its data protection framework, and that the EDPB has identified many aspects as being essentially equivalent;

4. Notes the UK’s commitment to respect democracy and the rule of law, and protect and give domestic effect to fundamental rights such as those set out in the ECHR, including high levels of data protection;

5. Takes note of public statements made by the UK Prime Minister declaring that the UK will establish its own ‘sovereign’ controls in the area of data protection; stresses, however, that so far no legislative action has been taken on the basis of these political declarations;

6. Notes that the 2020 National Data Strategy emphasises the commitment of the UK to obtain an adequacy decision from the EU and to ensure that the free flow of data to and from the UK is properly protected; underlines the importance of monitoring any legislative changes based on the Strategy and of assessing their compatibility with the GDPR;

7. Notes that UK legislation, notably the Digital Economy Act 2017 and the Crime and Courts Act, explicitly allow ‘onward sharing’ of personal data between public authorities and with the National Crime Agency respectively for several specified purposes; underlines that onward sharing on the basis of these acts has to comply with the rights and principles defined in the UK Data Protection Act; shares the view of the EDPB that the Commission should constantly assess the possible impact of related restrictions to the level of protection of personal data and to take measures when necessary;

8. Recalls the EDPB’s assessment regarding the existence and effective functioning of an independent supervisory authority in the UK; underlines that the Information Commissioner’s Office (ICO) is a well-equipped and active data protection authority which already had enforcement powers before the GDPR was in place and imposed significant fines under the GDPR when the UK was still a member of the EU; points to the importance of proper enforcement by the ICO and stresses that the UK should ensure that the ICO maintains a high level of expertise and resources in order to perform its tasks;

9. Is concerned that UK data protection law contains a derogation from certain data protection rights, such as the right of access and the right of a data subject to know with whom their data has been shared, if such protection would ‘prejudice effective immigration control’[5]; recognises that this exemption, which is available to all data controllers in the UK, has been endorsed by the ICO and a court, and can only be invoked on a case-by-case basis and applied in a necessary and proportionate way; recalls recently revealed information according to which 17 780 access requests were made in relation to data processed concerning 146.75 million data subjects and that the immigration exemption was used in over 70 % of data subject requests to the Home Office in 2020[6]; stresses that even in those cases where the Home Office made use of the derogation, access to information was not completely denied but restricted to redacted documents;

10. Notes that this exception, which can be challenged before the ICO and UK courts, may be invoked in relation to EU citizens who reside or are planning to reside in the UK; calls on the Commission to closely monitor the application of this exception to ensure that it does not limit accountability and remedies; calls on the Commission to ask for safeguards in order to protect EU citizens against the possible use of this exemption in the future and to uphold the rights and remedies enjoyed by EU citizens under the GDPR;

11. Recalls the revelations of mass surveillance by the US and the UK, as revealed by whistle-blower Edward Snowden; recalls that the European Court of Human Rights ruled in 2018 that the UK’s mass data interception and retention programmes, including the ‘Tempora’ programme run by the Government Communications Headquarters (GCHQ), and used to intercept communications in real time and record the data so that they could be processed and searched at a later time, was unlawful;

12. Recognises that the UK has since significantly reformed its surveillance laws and introduced safeguards which go beyond the conditions defined by the Court of Justice of the European Union (CJEU) in its ‘Schrems II’ ruling[7] and the safeguards provided in the surveillance laws of most Member States; welcomes in particular the provision of full access to effective judicial redress; recalls that the UN Special Rapporteur on the Right to Privacy has welcomed the strong safeguards introduced with the Investigatory Powers Act 2016 (‘IPA 2016’) in terms of necessity, proportionality and independent authorisation by a judicial body;

13. Points out that further sharing of personal data with intelligence agencies in third countries is subject to specific safeguards provided in the Data Protection Act 2019 and the IPA 2016; emphasises the need to ensure that these safeguards sufficiently protect EU citizens or residents whose data may be subject to onward transfers and sharing with the National Security Agency;

14. Welcomes the fact that the European Union (Withdrawal) Act 2018 provides that CJEU case law generated before the end of the transition period will become ‘retained EU law’ and thus legally binding for the UK; points out that the UK is bound by the principles and conditions defined in the Schrems II judgment of the CJEU when assessing the adequacy of other non-EU countries; considers this an important safeguard to ensure the legality of onward transfers;

15. Underlines that the UK rules governing personal data transfers to third countries are identical to the rules provided for in the GDPR; considers, however, that the Commission should monitor the application of these rules in practice, as the UK’s granting of adequacy status to countries or territories not deemed adequate under EU law could lead to the bypassing of the EU rules on transfers;

16. Notes the UK’s cross-border data access agreement negotiated with the US[8], under the UK’s Crime (Overseas Production Orders) Act 2019 (‘OPO Act’) and the US’s Clarifying Lawful Overseas Use of Data Act (‘CLOUD Act’), which is intended to facilitate transfers for law enforcement; takes note of the fact that the agreement has not yet entered into force, as the UK is seeking additional safeguards from the US and has committed to informing the Commission of those additional safeguards before the agreement enters into force; expects those safeguards to prevent undue access to the personal data of EU citizens and residents by the US authorities and calls on the Commission to monitor the implementation of the agreement in this regard;

17. Recalls that the CJEU in its judgment C-623/17 clearly stated that the ePrivacy Directive, read in the light of the relevant provisions of the Charter, does not preclude national legislation enabling a state authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the state’s security and intelligence agencies in the event of a serious threat to national security and subject to strict conditions;

18. Notes that in this case, the CJEU ruled that the bulk data collection carried out in the UK under the Regulation of Investigatory Powers Act 2000 was illegal; points out that at the time of the ruling, the legislation had long since been replaced by the IPA 2016 which considerably strengthened the principles of necessity and proportionality; underlines that IPA 2016 makes interception subject to prior judicial approval and oversight, and empowers individuals to access their data and lodge complaints before the investigatory powers tribunal; stresses that these safeguards were welcomed by the UN Special Rapporteur on the Right to Privacy and deemed a ‘significant improvement’ to the UK regime by the EDPB;

19. Takes note of the shortcomings identified in the way the UK implemented data protection law while it was still a member of the EU; notes that the UK was recording and maintaining a copy of the Schengen Information System (SIS); expects the UK law enforcement agencies to fully comply with the applicable rules when exchanging personal data in the future; recalls that the UK maintains access to some EU law enforcement databases only on a hit/no hit basis and is legally excluded from accessing the SIS;

20. Notes that the draft adequacy decision thoroughly assesses the rights of each UK authority empowered by national law to intercept and retain personal data for national security reasons; welcomes, furthermore, the fact that detailed oversight reports about the authorities in charge of the Intelligence Community provide information regarding the UK’s actual surveillance practices; calls on the Commission to further assess and monitor the types of communications data that fall under UK data retention and lawful interception powers;

21. Points out that the EU-UK TCA includes titles regarding the exchange of DNA, fingerprints and vehicle registration data, the transfer and processing of passenger name record data (PNR), cooperation on operational information and cooperation with Europol and Eurojust, but does not in itself provide a legal basis for transfers; stresses that these provisions can be suspended if the UK shows serious deficiencies regarding the protection of personal data, including where those deficiencies have led to a relevant adequacy decision ceasing to apply; welcomes the fact that the processing of special categories of data remains prohibited; notes that the TCA provisions concerning Prüm data are mostly in line with internal EU rules but have been adapted in relation to evaluations, suspension and disapplication;

22. Calls on the Commission to assure EU businesses that the adequacy decision will provide a solid legal basis for data transfers insofar as the data protection regimes of the UK and the EU remain convergent in law and in practice; underlines the importance of making sure that this adequacy decision will be deemed acceptable if reviewed by the CJEU, and stresses that all recommendations made in the EDPB opinion should therefore be taken into serious consideration;

23. Expects the Commission, where the available information reveals that the UK no longer ensures an adequate level of protection, and to the extent necessary, to make use of the possibility to amend, suspend or repeal the adequacy decision at any point in time, including by means of the urgency procedure provided for in the draft adequacy decision; expects the Commission to attempt to amend the decision first before suspending or repealing, in order to avoid unnecessary disruptions or high compliance costs;

24. Welcomes the fact that the adequacy decisions will only apply for four years, as the UK might choose to amend the legislation subject to the Commission’s adequacy assessment now that it is no longer an EU Member State; calls on the Commission to keep monitoring the level of data protection in the meantime and to thoroughly assess data protection law and practice in the UK before renewing the adequacy decision in 2025;

25. Calls for the Commission to keep Parliament informed about any relevant future changes to the UK data protection regime, as well as about related discussions in relevant bodies such as the Specialised Committee on Law Enforcement and Judicial Cooperation, and to take Parliament’s position on these into account;

26. Considers, based on the information available, that the level of protection currently afforded to personal data under UK law and practice is essentially equivalent to that in the EU; expresses, therefore, its support for the two draft implementing decisions of the Commission on the adequate protection of personal data by the United Kingdom, under the GDPR and the LED respectively;

27. Calls on the Commission to adopt the adequacy decisions on time, that is before the end of the interim period, in order to avoid any disruptions for European companies or to transfers for law enforcement purposes;

28. Instructs its President to forward this resolution to the Council, the Commission, the governments and parliaments of the Member States and the Government and Parliament of the United Kingdom.

 

Last updated: 13 May 2021
Legal notice - Privacy policy