The UK risks throwing away the possibility of a data adequacy agreement ensuring the free flow of personal data between the UK and the European Union (EU) after the Brexit transition period ends, if it cannot be proved that there are sufficient safeguards included in the UK-US agreement on data access for criminal investigations to comply with EU standards.
This is the preliminary judgment of the European Data Protection Board (EDPB), which today clarified its position in a letter to MEPs circulated by EDPB chair Andrea Jelinek, and seen by Computer Weekly.
“The EDPB considers that the agreement concluded between the UK and the US will have to be taken into account by the European Commission [EC] in its overall assessment of the level of protection of personal data in the UK, in particular as regards the requirement to ensure continuity of protection in case of ‘onward transfers’ from the UK to another third country,” said Jelinek in her letter.
Jelinek said that with regard to the compatibility of the potential agreement with the EU acquis in the field of data protection – particularly with regard to the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED) – the levels of personal data protection, including conditions for access to personal data, must be ensured consistently throughout the EU.
Although this is still a preliminary assessment by the EDPB, Jelinek said the board had doubts as to whether the safeguards in the Brexit withdrawal agreement for access to personal data in the UK would necessarily apply in the case of disclosure obligation to digital platforms operating from within the US, regardless of whether or not the data was held there, and whether they would apply to requests made under the US Cloud Act.
Given that the EC is already negotiating its own agreement with the US to allow law enforcement agencies access to electronic evidence held in each other’s jurisdiction, Jelinek stressed that any agreement reached “must prevail over US domestic laws” and include adequate data protection safeguards for EU citizens.
“This notably includes ensuring the continuity of data protection in case of onward sharing and onward transfers,” she said. “In this context, the EDPB wishes to repeat its call for further improvements to the level of safeguards established by the EU-US Umbrella Agreement, for instance as regards the availability of judicial redress.”
Jelinek said it was also essential for the safeguards to include mandatory prior judicial authorisation as a guarantee for access to data, and noted that a preliminary assessment had failed to identify any clear provision in this regard in the UK-US agreement.
“Should the European Commission present a draft adequacy decision for the UK, the EDPB will provide its own assessment in a dedicated opinion,” she wrote.
An adequacy decision is a legal mechanism to allow the EC to facilitate personal data transfers between the EU and third countries – covering data flows under Article 45 of the GDPR for general and commercial needs, and under Article 36 of the LED for law enforcement needs. It would confirm that the UK’s data protection framework is equivalent to that of the EU.
An agreement – or lack of one, in the case of no deal – between the UK and the EU has become an important sticking point, albeit one that has been little talked about beyond the digital sphere, in the post-Brexit landscape.
The UK government estimates that personal data enabled services exports between the UK and EU to have been worth over £100bn in 2018, and, given that imports and exports of other goods and services depend heavily on the free flow of personal data between the two, has taken the position that it is in the interests of both to put an agreement in place quickly.
Nevertheless, a data adequacy agreement is dependent on a thorough assessment of the UK’s data protection framework by the EC, which means the final decision is not in the UK’s gift, no matter how many guarantees or statements of ad hoc adequacy are made by Westminster.