Insights European Parliament Committee urges Commission to amend UK adequacy decisions

The European Parliament’s Civil Liberties Committee (LIBE) has passed a Resolution evaluating the Commission’s approach to the adequacy of the UK’s data protection regime, with 37 in favour, 30 against and one abstention.

The Committee said that the adequacy decisions should be amended to bring them in line with EU court rulings and concerns raised by the European Data Protection Board (EDPB) in its recent Opinions. The EDPB considered that UK bulk access practices, onward transfers and its international agreements require further clarification. The Committee said that, if the decisions are adopted without changes, national data protection authorities should suspend transfers of personal data to the UK when indiscriminate access to personal data is a possibility.

Assessing the UK data protection regime, the Committee noted that the basic legal framework was similar to that of the EU, but raised concerns about its implementation. Notably, it said, the UK grants broad exemptions in the fields of national security and immigration, which now also apply to EU citizens wishing to stay or settle in the UK. MEPs warned that in these areas there is no court oversight of data policies and the executive has wide powers.

The Committee also noted that current UK legislation allows for bulk data access, without suspicion of crime, and the bulk retention of data, which the EU court has found to be inconsistent with the General Data Protection Regulation (GDPR). The Committee also underlined that provisions on metadata (or secondary data) do not reflect the sensitive nature of such data and are therefore misleading.

The Committee also raised concerns about onward data transfers, saying that the UK’s data-sharing agreements with the US open up the possibility of EU citizens’ data being shared across the Atlantic, despite the CJEU’s rulings in Schrems I and Schrems II, which found that US practices of bulk data access and retention are incompatible with the GDPR. Further, the Committee said that the UK has applied to join the Comprehensive and Progressive Trans-Pacific Partnership, which contains provisions on the free flow of data, but without the majority of signatories having received an adequacy decision from the EU.

The Committee therefore urged the Commission and the UK authorities to address the issues highlighted in the Resolution and warned that, without an action plan, no adequacy decision should be granted. The Committee also stressed that no-spying agreements between Member States and the UK could help solve matters.

The Resolution will be debated and put to the vote of the whole European Parliament during this week’s plenary session, together with a discussion of the Schrems II ruling. To read the Committee’s press release in full, click here.