Euro politicians question UK’s Data Protection Bill compatibility with GDPR

Tang’s recent letter states that the proposed UK bill might weaken the GDPR’s protection for EU citizens and could potentially violate the EU-UK Trade and Cooperation Agreement. The agreement, established in 2019, guarantees the smooth flow of data between the EU and UK.

Last year it was reported how Westminster’s plan to replace its version of the GDPR turned heads in Brussels, largely due to its potential to affect the EU-UK data adequacy agreement.

There are now concerns that the proposed changes might allow EU citizens’ data to be shared with third parties who do not meet the EU’s strict data protection standards.

“Not only is it eliminating the Biometrics and Surveillance Camera Commissioner, but it also allows indefinite retention of certain biometric data by UK law enforcement”, Tang said regarding the bill in his note to the Commission.

“The DPDI undermines safeguards set by the European Court of Human Rights, potentially jeopardising law enforcement cooperation frameworks like Prüm II and the Law Enforcement Directive”, he continued.

Put forward in December 2021, the EU Commission’s “Prüm II” proposes to update the current Prüm Framework for enhanced police cooperation. This initiative seeks to streamline cross-border criminal investigations through automated data exchange.

Tang’s first question to the EU Commission was:

“Has the Commission considered the consequences that these provisions may have on law enforcement cooperation between the EU and the UK, for instance, within the Prüm I and Prüm II Framework or against the UK adequacy decision adopted under the Law Enforcement Directive?”

The MEP asked whether or not the Commission had weighed up the potential consequences of the DPDI on the safeguarding of EU citizens biometric data under the GDPR, and how well these protective measures sit with the European Court of Human Rights (ECtHR) ruling in S and Marper vs. UK. The case established the existence of a breach of privacy rights (as per the European Convention on Human Rights) in the event of holding DNA data of individuals who were arrested but who were then acquitted or who had charges against them dropped.

Tang also asked:

“Does the Commission intend to annul the adequacy decision granting a free data flow between the EU and the UK once this bill is adopted?”

In a recent debate, UK MPs discussed anxieties raised by British companies and researchers over the possible threat to data adequacy posed by the bill. Julia Lopez, Minister of State for the Department of Culture, Media, and Sport, stated that the UK had maintained constant communication with the Commission during the bill’s development.

The Head of UK affairs at the 5Rights Foundation, said:

“We are worried about changes to fundamental principles, including the meaning of personal data, uses of data for scientific research and impact assessments.” 

“We are extremely concerned about the status of the Age Appropriate Design code and children’s personal data.

“Although the major loss will be felt to those residing in the UK, given the huge amount of people, commerce and data that flows between the EU and the UK any change to the UK regime will always impact EU citizens,”

the 5Rights Foundation continued.

Know the risks

As the UK prepares for the new version of the Data Protection and Digital Information Bill, businesses and data practitioners need to stay on top of how the new laws stand to impact the way organisations handle personal information of citizens in Britain and abroad.

The topic falls into focus next month at PrivSec & GRC Connect London where experts will debate the risks and obligations that come with the new legislation.