Insights European Parliament urges EU Commission to amend UK adequacy decisions

Following the Civil Liberties Committee’s Resolution last month, the EU Parliament has also passed a Resolution asking the Commission to modify its draft decisions on whether or not UK data protection is adequate and personal data can safely be transferred there, bringing them in line with the latest EU court rulings and responding to concerns raised by the European Data Protection Board (EDPB) in its recent opinions. The EDPB considers that UK bulk access practices, onward transfers and its international agreements need to be clarified further. The Resolution states that, if the implementing decisions are adopted without changes, national data protection authorities should suspend transfers of personal data to the UK if there is any chance of indiscriminate access to personal data.

The Resolution states that the UK’s basic data protection framework is similar to that of the EU, but raises concerns about its implementation. Notably, MEPs note that the UK’s regime contains exemptions for national security and immigration, which now also apply to EU citizens wishing to stay or settle in the UK. Current UK legislation also allows for bulk data to be accessed and retained without a person being under suspicion for perpetrating a crime, and the EU court has found indiscriminate access to be inconsistent with the GDPR.

Further, the Resolution states that provisions on metadata do not reflect the sensitive nature of such data and are therefore misleading. However, the Resolution welcomes recent legislative changes in the UK providing citizens access to judicial redress on data decisions and detailed oversight reports for data interception on national security grounds.

The Resolution notes that the UK’s data-sharing agreements with the US mean that EU citizens’ data could be shared across the Atlantic, despite the CJEU’s rulings in Schrems I and Schrems II. Further, the UK’s application to join the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) could have implications for data flow to countries that do not have an adequacy decision from the EU.

The Parliament urges the Commission and the UK authorities to address these issues and says that no adequacy decision should be granted. The Parliament specifies that “no-spying” agreements between Member States and the UK could help. To read the EU Parliament’s press release in full, click here.