The EU’s data protection watchdog has said that the UK-US agreement entered into in 2019 could undermine the UK’s chances of receiving an adequacy decision

The European Data Protection Board wrote to the European Parliament on 15 June 2020 outlining their concerns that the UK-US agreement to facilitate access to electronic evidence in criminal investigations may not be fully compatible with EU primary and secondary law.

The regulator urged the European Commission to take the agreement between the UK and US into consideration when drafting its adequacy decision for the UK.

The letter questions whether the UK was able to apply the agreement with the US whilst EU law continues to apply to the UK post-Brexit, currently until 31 December 2020.

A granted adequacy decision would facilitate the free flow of information from the EU to other countries for general commercial purposes as well as law enforcement. After the transition period ends, the UK will be considered a third country.

Dr Andrea Jelinek, Director of the EDPB, said in the letter: “The EDPB has doubts as to whether the safeguards in the agreement for access to personal data in the UK would apply in case of disclosure obligations applicable to providers of electronic communication service or remote computing service under the jurisdiction of the United States, regardless of whether the data requested is located within or outside of the United States.”

On 17 March, the UK made its case for securing an adequacy decision to allow for the continued free flow of personal data between the EU, the UK and Gibraltar after the UK’s post-Brexit transitional period ends.

The UK’s case states that it will adopt the GDPR’s principles to ensure the protection of personal data, including lawfulness, fairness, transparency, purpose limitation, data limitation, accuracy, storage limitation, integrity and accountability.

The UK’s case could be rejected or only given partial adequacy, like Canada and the US. If the UK does not secure an adequacy decision by the end of 2020, UK entities will need to rely on “appropriate safeguards” to continue to freely receive personal data from the EEA.