The EDPB has held its 48th plenary session, during which it adopted two Opinions on the draft UK adequacy decisions:
- Opinion 14/2021 is based on the GDPR and assesses both general data protection aspects and government access to personal data transferred from the EEA for the purposes of law enforcement and national security included in the draft adequacy decision.
- Opinion 15/2021 is based on the Law Enforcement Directive (LED) and analyses the draft adequacy decision. According to the EDPB, this is the first draft implementing decision on a third country’s adequacy under the LED ever presented by the European Commission and assessed by the EDPB.
The EDPB notes that there are key areas of strong alignment between the EU and the UK data protection frameworks on certain core provisions such as grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling.
The EDPB Chair pointed out that although laws can evolve, this alignment should be maintained. As a result, the EDPB welcomes the European Commission’s decision to limit the granted adequacy in time and the intention to closely monitor developments in the UK.
The EDPB emphasises that several items should be further assessed and/or closely monitored by the European Commission in its decision based on the GDPR, such as the immigration exemption and its consequences on restrictions on data subject rights; and the application of restrictions to onward transfers of EEA personal data transferred to the UK, on the basis of, for instance, future adequacy decisions adopted by the UK, international agreements concluded between the UK and third countries, or derogations.
As far as access by public authorities for national security purposes to personal data transferred to the UK is concerned, the EDPB welcomes the establishment of the Investigatory Powers Tribunal and the introduction of Judicial Commissioners in the Investigatory Powers Act 2016 to ensure better oversight. The EDPB identifies a number of points requiring further clarifications and/or monitoring:
- Bulk interceptions;
- Independent assessment and oversight of the use of automated processing tools; and
- Safeguards provided under UK law when it comes to overseas disclosure, in particular in light of the application of national security exemptions.
As well as the UK adequacy decisions, the Board reviewed some other topics. It will be consulting on draft Guidelines on the application of Article 65(1)(a) GDPR to delineate the main stages of the procedure and clarify the competence of the EDPB when adopting a legally binding decision under Article 65(1)(a) GDPR. The Guidelines also include a description of the applicable procedural safeguards and remedies.
Following consultation, the EDPB has adopted the final version of the Guidelines on the targeting of social media users. The aim of the Guidelines is to clarify the roles and responsibilities of social media providers and targeted individuals.
Finally, the EDPB adopted a Statement on international agreements including transfers. The EDPB invites EU member states to assess and, where necessary, review their international agreements that involve international transfers of personal data and which were concluded before 24 May 2016 (for those relevant to the GDPR) and 6 May 2016 (for those relevant to the LED) to align them, where necessary, with EU data protection law.
