MEPs have urged the European Commission (EC) to revise its draft decision to provide data adequacy to the UK to ensure that citizens in the European Union (EU) have greater privacy rights.
Members of the European Parliament voted last week to ask the EC to update its decisions on the UK following concerns raised by the European data regulators.
The vote follows opinions from the European Data Protection Board that call for the UK to clarify its position on laws that allow government agencies to collect bulk data, such as phone and internet use.
The MEPs’ resolution argues that if the EC’s decisions are implemented without further changes, national data protection authorities should suspend the transfer of personal data to the UK, where there is a risk of indiscriminate access to personal data.
MEPS have raised concerns about exemptions in the UK data protection regulations for national security and immigration.
UK law allows government agencies to access and retain bulk data on individuals who are not under suspicion – a practice that is inconsistent with the General Data Protection Regulation (GDPR).
The MEPs also argue that provisions on metadata do not reflect the sensitive nature of data and are therefore misleading.
The resolution notes that the European Court of Human Rights confirmed in September 2018 that UK mass data interception and retention programmes were “unlawful and incompatible with conditions necessary for a democratic society”.
The UK’s data-sharing agreement with the US means EU citizens’ data can be shared across the Atlantic, despite rulings from the European Court of Justice that found US practices of bulk data access and retention incompatible with GDPR.
The MEPs express deep concern that information safeguarding between GCHQ and the US National Security Agency “would not protect EU citizens or residents whose data may be subject to onward transfer and sharing with the NSA” (US National Security Agency).
The UK’s application to join the Comprehensive and Progress Trans-Pacific Partnership (CPTPP) – a trade agreement between 11 countries, including Australia, New Zealand, Mexico and Peru – could also have implications for data flow to countries that do not have an adequacy decision from the EU.
During a debate, political groups said there was a need for strong data rights in Europe and warned about the dangers of mass surveillance.
Others argued that the UK had a high level of data protection and that adequacy decisions help businesses and facilitate cross-border crime prevention.
MEPs voted for the resolution 344 votes in favour to 311 against, calling for the European Commission to modify its draft decision on whether or not UK data protection is adequate to receive EU data.
Eleonor Duhs, director of law firm Fieldfisher’s privacy and information law group, said that if the resolution raised questions about the adequacy of the UK, a departing member state, it “sets the bar for adequacy impossibly high”.
The European Commission is reviewing adequacy decisions made while the predecessor legislation to the GDPR, the 1995 Data Protection Directive, was in force.
It could face significant problems in allowing those adequacy decisions to remain in force, she said.
If adequacy was no longer a viable option, organisations would have to transfer data outside the EU using standard contractual clauses (SCCs), another legal mechanism.
“These are costly and time-consuming to put in place. This, in turn, creates significant barriers to transferring data out of the EU at a time when businesses can ill afford it,” said Duhs.
The EC has published two draft data adequacy decisions, one under the GDPR and another under the Law Enforcement Directive (LED), to allow for the continued transfer of personal data to the UK.
According to the decisions, the EC considers that the UK’s data protection laws “ensure a level of protection for personal data… that is essentially equivalent” under both the GDPR and LED, and that the “oversight mechanisms and redress avenues” are sufficiently strong enough to allow data subjects to exercise their rights and sanction infringements.
The European Commission is expected to issue an adequacy decision on UK data protection and data transfers between the EU and the UK later this year.