The European Parliament narrowly adopted (344 votes in favour, 311 against, 28 abstentions), on Friday 21 May, a resolution calling on the European Commission to amend its draft decisions on the adequacy of the UK’s personal data protection regime with EU law (see EUROPE 12718/14).
The resolution emphasises the need for guarantees that the arrangements for data transfers to the UK are in line with recent judgments of the Court of Justice of the European Union (CJEU) (see EUROPE 12529/2) and address the concerns raised by the European Data Protection Committee (EDPS).
MEPs also believe that national authorities should, where indiscriminate access to personal data is possible, suspend transfers of such data to the UK, should the Commission decide to adopt the adequacy decisions as they stand.
“We talk about fundamental rights, data protection. The Court judgments are important and we ask the Commission to review this adequacy decision for the UK, it is not in line. The concerns are legitimate“, said the Chair of the Parliament’s Committee on Civil Liberties, Juan Fernando López Aguilar (S&D, Spain), during a tense debate at the European Parliament plenary session on Thursday 20 May.
While a number of MEPs agreed with the Spanish socialist’s analysis, not all of them subscribed to it, such as Assita Kanko (ECR, Belgium), who wondered: “Our citizens need to know that their data is protected, and the UK does just that. We already have agreements with Uruguay, Japan and Israel. Are we honestly saying that these countries have better standards than the UK, which itself helped to develop the current European standards? The British may be irritating for the Left, but they are not dangerous. It’s a revenge game, leave the past and Brexit where they are. By punishing the UK, you are punishing Europe!”, she added.
Enforcement and exemptions
While the Parliament recognises that the UK’s data protection laws are similar to those of the EU, the problem lies in the area of enforcement and exemptions, starting with the areas of national security and immigration, which now apply to EU citizens wishing to settle - or remain - in the UK.
Always on the subject of concerns, the resolution points out that current UK legislation allows bulk access to and retention of data without a person being suspected of having committed a crime. However, the General Court of the EU found this situation incompatible with the General Data Protection Regulation (GDPR).
The issue of onward transfers
Beyond transfers of personal data between the EU and the UK, MEPs are also concerned about onward transfers of data to third countries (see EUROPE 12702/9).
Under the agreements signed between the United Kingdom and the United States, the data of European citizens could in fact cross the Atlantic, despite the judgments of the CJEU finding the US practices incompatible with the GDPR regulation.
“This means that the transfer of data to the US, which is usual for the UK, is not compatible with EU protection standards. Hence the importance of assessing the UK law, but also its enforcement”, concluded Mr López Aguilar.
The Commission is expected to decide on UK data protection and further data transfers across the Channel in the coming months. The MEPs insisted that no adequacy decision should be granted.
See the resolution adopted by the Parliament: https://bit.ly/3bG6vUb (Original version in French by Thomas Mangin)