On April 14, 2021, the European Data Protection Board (“EDPB”) announced that it had adopted its Opinion on the draft UK adequacy decision issued by the European Commission on February 19, 2021. The EDPB’s Opinion is non-binding but will be persuasive. The adequacy decision will be formally adopted if it is approved by the EU Member States acting through the European Council. If the adequacy decision is adopted, transfers of personal data from the EU to the UK may continue following the end of the post-Brexit transition period without the implementation of a data transfer mechanism under the EU General Data Protection Regulation (“GDPR”), such as Standard Contractual Clauses.
The EDPB stated in its press release that there were key areas of strong alignment between the data protection regimes in the EU and UK. The UK implemented the GDPR into national law prior to its departure from the EU, meaning that the EU and UK are aligned on, for example, grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and automated decision making and profiling.
EDPB Chair Andrea Jelinek stated, “The UK data protection framework is largely based on the EU data protection framework…Therefore, the EDPB recognises that the UK has mirrored, for the most part, the GDPR…in its data protection framework and when analysing its law and practice, the EDPB identified many aspects to be essentially equivalent.”
Jelinek warned that this alignment would need to continue in the future, however, if an UK adequacy decision is to be maintained, and welcomed the European Commission’s ongoing monitoring of the UK data protection regime and proposed review of any adequacy decision within four years. The EDPB also drew attention to the ways in which the UK has deviated from the GDPR, such as by introducing exemptions to certain data protection rights for processing relating to immigration, and stated that ongoing monitoring should be conducted with respect to transfers of EU data from the UK to third countries.
The EDPB also stated that further clarifications and ongoing monitoring are required with respect to public authority access for national security purposes to personal data transferred to the UK, particularly with respect to bulk interceptions, oversight of automated processing tools and safeguards provided under UK law regarding overseas disclosure.
Prior to the adoption of its opinion, the European Commission reportedly advised the EDPB to moderate its critical view of the standard of data protection provided by the UK, on the basis that the UK mirrors the EU data protection standard almost exactly, and a determination that the UK was not adequate would disincentivize other jurisdictions from aligning themselves with the EU regime in the hopes of their own adequacy decision.