UK Adequacy: it’s only the beginning

The European Data Protection Board issued their opinion about the draft UK adequacy decision. Under EU rules, personal data cannot be transferred to third countries unless an adequate level of personal data protection is met; thus, obtaining and maintaining a positive assessment from the European Commission will be key in ensuring the free flow of data between the UK and the EU.

While the EDPB confirmed the positive assessment of the Commission, this hardly marks the end of our journey. Indeed, the EDPB makes clear that Government plans to diverge from the GDPR do not confer any certainty over the UK ability to maintain their “adequate” data protection standards over time. But what did the EDPB say exactly? And how do Government plans fit into their opinion?

It’s all right, but…

First of all, the EDPB noted how their positive assessment stems from the fact that the UK data protection framework is still aligned with the GDPR, given the unique position of the UK as a former member of the European Union. This, however, does not mean that the EDPB endorses Government plans to diverge from the GDPR. Although these intentions have not yet materialised, the EDPB are calling on the Commission to closely monitor developments, as well as to be ready to amend or suspend the adequacy decision.

Furthermore, the EDPB notes how the “immigration exemption” is still being discussed in Open Rights Group court case. In this regard, the EDPB invites the Commission to further assess the proportionality of this exemption, as well as to be prepared to include the outcomes of the judicial case we promoted.

Finally, the EDPB notes how the UK is in the position to grant adequacy decisions under the UK GDPR, a move that could effectively allow onward transfers of personal data to countries whose level of protection has not been reviewed by the European Commission. On top of that, the EDPB raised concerns for the UK decision to issue adequacy decisions to third countries that were found to be adequate under the former Data Protection Directive, but are yet to be reviewed according to the new rules introduced by the GDPR.

What does this mean for the UK Government?

While the UK seem to be in for a positive assessment of their data protection framework, this opinion highlights several risks that Government needs to address for the years to come.

Contrary to Oliver Dowden’s view that the EU adequacy assessment would be the green light for the UK to deregulate, the EDPB raised many warnings targeted at such plans. This extends to the second argument made by the Secretary of State for Digital, Culture, Media and Sport — namely that the UK should use their independence as a way to grant adequacy decisions to countries that the EU would have been “too slow to assess”.

Finally, preserving the status quo isn’t an alternative either. The immigration exemption clearly drew a lot of attention, vindicating Open Rights Group argument that such a broad and unjustified derogation from data protection rules is on the outs with data protection rules. On the other hand, the EDPB also stressed the importance of supervision, enforcement and access to redress options. It follows that Government plans to turn the ICO into lobbyists’ best friend, as well as their decision not to implement collective complaints under article 80.2 of the UK GDPR, should be seen as a long term risk for the UK access to the EU digital market.

What does this mean for the UK?

As a starting point, data protection rules were established for a very good reason. Increasing availability of personal data and growing reliance on automated decision making makes our lives much more affected by how our personal information is used, secured and shared. In this regard, reducing fundamental safeguards would have dire consequences for our rights and personal security, as well as for society overall trust in new technologies and their ability to do good.

Further to that, businesses should be as much concerned as Civil Society Organisations are. Maintaining the free flow of personal data between the UK and the EU will be pivotal in ensuring that the UK digital economy can keep thriving and be competitive.

One thing is sure though. Open Rights Group will keep fighting to promote and maintain effective protection of our rights over our personal information. Want to know more? Stay tuned or join us, and help us protect your rights in the digital age.