This article is made available to you in collaboration with the European Parliament.
The European Commission should amend its draft decision on data protection in the UK to ensure that EU standards on citizens’ privacy are respected.
In a resolution passed on Friday (344 votes in favor, 311 against and 28 abstentions), MEPs are calling on the Commission to amend its draft decisions on whether or not data protection is adequate in the UK, and the data can be securely transferred there to align them with recent EU court rulings and the response to concerns expressed by the European Data Protection Board (EDPB) in its recent opinions. The EDPB believes that the UK’s bulk access practices, onward transfers and its international agreements need further clarification. The resolution states that national data protection authorities should suspend the transfer of personal data to the UK if the implementing decision is adopted unchanged when indiscriminate access to personal data is possible.
Before the vote, MEPs discussed the UK’s adequacy decision and the Schrems II resolution on data flows between the EU and the US. Several groups stressed the need for strong data rights in Europe and the dangers of mass surveillance, others argued that the UK has a high level of data protection and that adequacy decisions help businesses and facilitate cross-border crime prevention.
Exceptions for National Security and Immigration
The resolution states that the UK’s basic data protection framework is similar to that of the EU but raises concerns about its implementation. In particular, the UK regime includes national security and immigration exemptions that now also apply to EU citizens wishing to stay or settle in the UK. Current UK legislation also allows bulk data to be accessed and stored without a person being suspected of having committed a crime, and the EU court has ruled that indiscriminate access is incompatible with the General Data Protection Regulation (GDPR) is, warns the text.
Finally, MEPs underline that provisions on metadata (or “secondary data”) do not reflect the sensitivity of such data and are therefore misleading. Although Parliament objects to the Commission’s draft implementing acts granting data adequacy decisions for these reasons, MEPs welcome the recent legislative changes that give citizens access to legal remedies for data decisions and detailed supervisory reports that are necessary for national security reasons for interception of data are available.
Third countries and onward transfers
MEPs are also concerned about the transfer of data. Due to the British data exchange agreements with the US, the data of EU citizens could be exchanged across the Atlantic, although the European Court of Justice recently ruled that US practices of accessing and storing bulk data are incompatible with the GDPR . The UK’s application to join the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) could also affect the flow of data to countries for which there is no EU adequacy decision.
Parliament urges the Commission and the UK authorities to look at all of these issues and insists that no adequacy decision should be taken. MEPs say that espionage agreements between Member States and the UK could help solve problems.
The Commission is expected to take a decision on UK data protection and the continuation of data transmission over the channel in the coming months. Before the vote, Justice Commissioner Didier Reynders spoke to the plenary that current UK legislation is very similar to that of the EU. However, future deviations are possible, which is why the four-year forfeiture clause of the adequacy decision is very necessary, he emphasized.