- UK data protection laws are similar to EU laws, but MEPs raise questions on enforcement and exemptions
- Protection exemptions for immigration and national security need to be clarified
- Onward transfers of data and bulk access to data by law enforcement are also a concern
The European Commission should amend its draft decision on UK data protection to bring it in line with EU court rulings and the opinions of the EU privacy supervisor.
The Civil Liberties Committee passed a resolution evaluating the Commission’s approach on the adequacy of the UK’s data protection regime, with 37 in favour, 30 against and one abstention. MEPs ask for the adequacy decisions to be amended to bring them in line with EU court rulings and concerns raised by the European Data Protection Board (EDPB) in its recent opinions. The EDPB considers that UK bulk access practises, onward transfers and its international agreements require further clarification. MEPs find that, if the implementing decisions are adopted without changes, national data protection authorities should suspend transfers of personal data to the UK when indiscriminate access to personal data is possible.
Exemptions for national security and immigration
Assessing the UK data protection regime, the Committee notes that the basic legal framework is similar to that of the EU, but raises concerns about its implementation. Notably, the UK grants broad exemptions in the fields of national security and immigration, which now also apply to EU citizens wishing to stay or settle in the UK. MEPs warn that in these areas, there is no court oversight of data policies and the executive has wide powers.
Current UK legislation also allows for bulk data access without suspicion of crime and bulk retention of data, which the EU court has found to be inconsistent with the rights enshrined in the General Data Protection Regulation (GDPR), notes the resolution. Finally, MEPs underline that provisions on metadata (or “secondary data”) do not reflect the sensitive nature of such data and are therefore misleading. Due to these factors, the Committee objects to the Commission’s draft implementing acts to grant data adequacy decisions, and finds that the current draft acts are not consistent with the institution’s implementing powers.
Third countries and onward transfers
MEPs also raise concerns about onward data transfers. The UK’s data-sharing agreements with the US open up the possibility of EU citizens’ data being shared across the Atlantic, despite recent rulings of the European Court of Justice that found US practises of bulk data access and retention incompatible with GDPR. Recently, the UK has applied to join the Comprehensive and Progressive Trans-Pacific Partnership (CPTTP). The partnership also includes provisions on the free flow of data, and the majority of its signatories have not received an adequacy decision from the EU.
The Civil Liberties Committee urges the Commission and the UK authorities to address the issues highlighted in the resolution. Without an action plan, no adequacy decision should be granted, MEPs warn. They also stress that no-spying agreements between member states and the UK could help solve matters.
After the vote, rapporteur Juan Fernando López Aguilar (S&D, ES) said: “The Civil Liberties Committee considers that a decision on adequacy should be granted only after the specific elements of UK law or practice that are still a matter of serious concern have been properly assessed. Therefore, we call on the Commission to modify the implementing decision to avoid repeating previous mistakes.”
The draft resolution will be debated and put to the vote during next week’s plenary session, together with a discussion of the ‘Schrems II’ ruling concerning data transfers from the EU to the US.
The Commission is expected to issue an adequacy decision on the UK’s data protection and the continuation of data transfers across the Channel in the coming months.