40.
Consequently, the relevant legal framework applicable in the UK after the end of the transition period14 consists of: -
the United Kingdom General Data Protection Regulation (hereinafter “UK GDPR”), as incorporated into the law of the UK under the European Union (Withdrawal) Act 2018, as amended by the DPPEC (Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit)) Regulations 2019;
-
the Data Protection Act 2018 (hereinafter “DPA 2018”), as amended by the DPPEC Regulations 2019, and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020; and
-
the IPA 2016.
(together “the UK Data Protection Framework”).
2.2. Scope of the EDPB’s assessment 41.
The draft decision of the European Commission is the result of an assessment of the UK Data Protection Framework, followed by discussions with the UK Government. In accordance with Article 70(1)(s) GDPR, the EDPB is expected to provide an independent opinion on the European Commission’s findings, identify insufficiencies in the adequacy framework, if any, and endeavour to make proposals to address these.
42.
As mentioned in the GDPR Adequacy Referential: “the information provided by the European Commission should be exhaustive and put the EDPB in a position to make an own assessment regarding the level of data protection in the third country”15.
43.
In this regard, it is to be noted that the EDPB only partially received documents relevant for the examination of the UK legal framework on time. The EDPB received most part of the UK legislation referred to in the draft decision through links referenced in the latter. The European Commission was not in a position to provide the EDPB with written explanations and commitments from the UK in relation to the exchanges between the UK authorities and the European Commission relevant to this exercise16.
14
The transition period is set for 31 December 2020, after which date EU law no longer applies in the UK. The “bridge period” is set for 30 June 2021 at the latest, and refers to the additional period during which transmission of personal data from the EEA to the UK is not deemed a transfer. 15 See WP254 rev.01, p. 3. 16 With regard to: Article 48 GDPR (footnote 78 of the draft decision); enhanced safeguards and security measures applied by controllers when processing in the national security context (footnote 64 of the draft decision); to the requirement for the controller to consider whether there is a need to rely on the exemption on a case-by-case basis even where a national security certificate has been issued (recital 126 and footnote 172 of the draft decision); the fact that the protections of the EU-US Umbrella Agreement will apply to all personal information produced or preserved under the UK-US CLOUD Act Agreement, irrespective of the nature or type of body making the request, with regard to the details of the concrete implementation of the data protection safeguards which are still subject to discussions between the UK and the US, the confirmation that UK authorities will only let this Agreement enter into force once they are satisfied that its implementation complies with the legal obligations provided therein, including clarity with respect to compliance with the data protection standards for any data requested under this Agreement (recital 153 of the draft decision); situations where data are transferred from the EU to the UK within the scope of this draft decision, and the fact that there would always be a “British Islands connection” and any equipment interference covering such data would
Adopted
11
