28 August 2023 Reply from Commissioner Reynders to LIBE Committee Chair DPDI Bill

Honourable Chair, dear Juan,

Thank you for your letter of 13 June 2023, in which you ask the Commission about its assessment
of the UK’s Data Protection and Digital Information Bill that is currently before the UK Parliament.
Let me start by recalling that, as regards adequacy decisions adopted by the EU, the Court of Justice
has clarified that, although not requiring a third country to ensure a level of protection for personal
data identical to that provided under EU law, the term ‘adequate level of protection’ must be
understood as requiring the third country to ensure a level of protection “essentially equivalent” to
the one guaranteed within the EU. Therefore, when considering the amendments to the UK’s
current data protection legislation proposed in the Data Protection and Digital Information Bill,
what matters is whether these amendments – if adopted – would affect the level of protection found

Against this background, the Commission notes that, while a number of the proposed amendments
do not seem to affect the level of protection – as they are aimed notably at clarifying the existing
framework building on the experience gathered in the application of the GDPR and the LED – some
changes raise concerns and are liable to question the level of protection found adequate.
For example, that is the case of the amendments that affect the independence of the UK’s data
protection authority. More specifically, as you mention also in your letter, the Bill makes the
adoption of so-called codes of practice by the UK Information Commissioner (i.e. guidance in
important areas such as data sharing, direct marketing, age-appropriate design and data protection
and journalism) subject to the need for approval by the Secretary of State. In addition, the Bill
requires the Information Commissioner to ‘have regard to’ strategic priorities set by the Secretary
of State and to explain in writing how he will do so.

Since the beginning of the reform process, the Commission has been in touch on these issues with
the responsible department in the UK Government – the Department for Science, Innovation and
Technology – and has repeatedly raised the abovementioned concerns. We will continue to closely
monitor how the Bill evolves in the parliamentary process.

Finally, let me reassure you that when the adequacy decisions for the UK were adopted in June
2021, the possibility that the UK would diverge from the EU’s data protection framework was fully
taken into consideration and reflected in the decisions, including through the introduction of a
“sunset clause” according to which the decisions expire in June 2025 and can only be renewed if an
adequate level of protection continues to be guaranteed. In addition, if problematic changes would
be made to the UK data protection framework, the Commission can amend, suspend, or repeal the
adequacy decisions at any time.

Yours sincerely,