The European Data Protection Board (EDPB) has found many aspects of the United Kingdom’s data protection framework to be ‘essentially equivalent’ to the European Union’s but has also recommended several areas are further assessed.
The EDPB’s opinion is non-binding but is nevertheless a key part of the process in fully adopting the adequacy decision that would continue to allow the free flow of personal data between the UK and EU once a six-month grace period comes to an end in June.
The EDPB said: “The EDPB recognises that the UK has mirrored, for the most part, the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED) in its data protection framework and when analysing its law and practice, the EDPB identified many aspects to be essentially equivalent.”
However the EDPB stressed that this alignment should be maintained and welcomed the decision of the European Commission to time-limit the adequacy decision to four years, so that it can “closely monitor developments in the UK’.
The EDPB highlighted several issues that it believes need to be further assessed or closely monitored by the European Commission.
They include the UK’s immigration exemption rules which restrict some GDPR rights if they are likely to prejudice effective immigration control and possible future restrictions to onward transfers of European Economic Area (EEA) personal data transferred to the UK.
On access by public authorities for national security to personal data transferred to the UK, the EDPB says it welcomes the establishment of Britain’s Investigatory Powers Tribunal to address challenges of redress in national security and introduction of judicial commissioners to ensure better oversight in that area.
But the board says bulk interceptions, independent assessment and oversight of the use of automated processing tools, and safeguards under UK law related to overseas disclosure for national security exemptions all require further clarifications and/or monitoring.
The notice comes days after the European Parliament’s in-house think-tank suggested supplementary rules could be agreed to “bridge the gap” between the UK and EU data protection systems and ensure the continued free flow of personal data.
The EDPB notes that there are key areas of strong alignment between the EU and the UK data protection frameworks on certain core provisions such as: grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling.
The adequacy decision will need to be ratified by member states ahead of full adoption.
Register to receive the latest data protection and privacy news and analysis straight to your inbox