- UK data protection laws are similar to EU laws, but MEPs raise questions on enforcement and exemptions
- Exemptions for immigration and national security purposes need to be clarified
- Onward transfers of data to other countries and bulk access to data by law enforcement are also a concern
- National authorities should suspend data transfers to the UK in the absence of guarantees
The European Commission should amend its draft decision on UK data protection to ensure EU standards for citizens’ privacy are respected.
In a resolution passed on Friday (344 votes in favour, 311 against and 28 abstaining), MEPs ask the Commission to modify its draft decisions on whether or not UK data protection is adequate and data can safely be transferred there, bringing them in line with the latest EU court rulings and responding to concerns raised by the European Data Protection Board (EDPB) in its recent opinions. The EDPB considers that UK bulk access practices, onward transfers and its international agreements need to be clarified further. The resolution states that, if the implementing decisions are adopted without changes, national data protection authorities should suspend transfers of personal data to the UK when indiscriminate access to personal data is possible.
Before the vote, MEPs debated the UK adequacy decision and the “Schrems II” resolution on EU-US data flows. Several political groups emphasised the need for strong data rights in Europe and the dangers of mass surveillance, with others arguing that the UK has a high level of data protection, and that adequacy decisions help businesses and facilitate cross-border crime-prevention.
Exemptions for national security and immigration
The resolution states that the UK’s basic data protection framework is similar to that of the EU, but raises concerns about its implementation. Notably, the UK regime contains exemptions in the fields of national security and immigration, which now also apply to EU citizens wishing to stay or settle in the UK. Current UK legislation also allows for bulk data to be accessed and retained without a person being under suspicion for perpetrating a crime, and the EU court has found indiscriminate access to be inconsistent with the General Data Protection Regulation (GDPR), warns the text.
Finally, MEPs underline that provisions on metadata (or “secondary data”) do not reflect the sensitive nature of such data and are therefore misleading. Although the Parliament objects to the Commission’s draft implementing acts granting data adequacy decisions for these reasons, MEPs welcome recent legislative changes that provide citizens access to judicial redress on data decisions and detailed oversight reports available for data interception on nation security grounds.
Third countries and onward transfers
MEPs also worry about onward data transfers. The UK’s data-sharing agreements with the US mean EU citizens’ data could be shared across the Atlantic, despite recent rulings of the European Court of Justice that found US practices of bulk data access and retention incompatible with GDPR. Also, the UK’s application to join the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) could have implications for data flow to countries that do not have an adequacy decision from the EU.
Parliament urges the Commission and the UK authorities to address all these issues and insists that no adequacy decision should be granted. MEPs specify that no-spying agreements between member states and the UK could help solve matters.
The Commission is expected to decide on the UK’s data protection and the continuation of data transfers across the Channel in the coming months. Addressing the plenary before the vote, Commissioner for Justice Didier Reynders stressed that the UK’s current legislation is very similar to that of the EU. However, future divergence is possible, and this is why the adequacy decision’s four-year sunset clause is very necessary, he pointed out.