0. EXECUTIVE SUMMARY

On July 22, the European Commission published their Draft Adequacy Renewal for the UK adequacy decisions adopted under the EU GDPR and LED. Their legal analysis presents key deficiencies, which underestimate both the immediate impact of recent changes affecting UK data protection law, and the potential for future divergence.

Open Rights Group has produced this analysis to fill these gaps, in the hope that this will help producing a more robust legal assessment underpinning the UK adequacy determination. In particular:

In Chapter 1, we address how Regulations 2023/1417 removed references to fundamental rights from UK data protection law. This narrows the applicability of “rights and freedoms of data subjects”, thus affecting several key assessments such as with conditions to process special category data, Article 23 restrictions, legitimate interests and DPIAs.

In Chapter 2, we address how the REUL Act deleted the principle of supremacy of EU law from the UK GDPR. This removed the hierarchical supra-ordination over domestic enactments of the UK GDPR, thus undermining the safeguards introduced by Article 23 of the UK GDPR.

In Chapter 3, we address how the DUA Act introduces the new lawful ground of “Recognised Legitimate Interests”, which legitimises data processing for an expansive list of purposes, even against an overriding right or interest of the data subjects.

In Chapter 4, we address how the DUA Act introduces a new rule-making power that can be used to restrict the definition of special category data and reduce legal safeguards.

In Chapter 5, we address how the DUA Act introduces a new, expansive exemption from the purpose limitation principle, which legitimises further processing without regard of the original purpose data was collected for.

In Chapter 6, we address how the DUA Act introduces several changes to the rules governing data processing for scientific purposes, leaving scope for abuse for commercial interests.

In Chapter 7, we address how the DUA Act gives the UK government the power to allow the onward transfer of personal data to third countries even in the absence of European Essential Guarantees

In Chapter 8, we address how the DUA Act allows the onward transfer of personal data to third countries on the basis of additional safeguards that do not ensure the availability of enforceable data subject rights and effective legal remedies.

In Chapter 9, we address how the DUA Act widens the scope for the UK government to interfere with the objective and impartial functioning of the UK supervisory authority, further eroding the independence of an already compromised regulatory authority.

In Chapter 10, we address how the DUA Act dilutes the role of the UK supervisory authority, shifting focus away from regulatory enforcement and data subjects rights toward data controllers and extra-legal considerations.

In Chapter 11, we address how the performance of the UK supervisory authority is already showing a severe downward trajectory

In Chapter 12, we explain why the review mechanisms envisioned by the draft UK adequacy decision will struggle to effectively monitor relevant developments in UK data protection law, exposing EU-UK cross-border data transfers to the risk of a judicial invalidation and heighten legal uncertainty.