Regarding international agreements concluded between the UK and third countries, the European Commission is invited to examine the interplay between the UK data protection framework and its international commitments, beyond the Agreement on access to electronic data for the purpose of countering serious crime concluded between UK and the United States of America (hereinafter “US”)9 hereinafter ʺUK US CLOUD Act Agreementʺ), in particular to ensure the continuity of the level of protection where personal data are transferred from the EU to the UK on the basis of the UK adequacy decision and then onward transferred to other third countries and to continuously monitor and take action, where necessary, in the event that the conclusion of international agreements between the UK and third countries risks to undermine the level of protection of personal data provided for in the EU

Next Article

Furthermore, the European Commission is invited to monitor whether the UK US CLOUD Act Agreement ensures appropriate additional safeguards, taking into account the level of sensitivity of the categories of data concerned and the sole requirements of the transfer of electronic evidence directly by service providers rather than between authorities, also assessing under which circumstances safeguards may be provided by an appropriate implementation of the adaptation of the EU US Umbrella Agreement10

transfers to the third country in question. The EDPB invites the European Commission to continue this monitoring exercise for the duration of the UK adequacy decision.

84. The third challenge concerns the onward transfer of personal data from the EEA to non-adequate countries based on the transfer tools provided for in Articles 46 and 47 UK GDPR. Although the UK GDPR provides for the same transfer tools as the ones provided by the GDPR, the EDPB highlights the need to ensure that the safeguards they contain provide for an effective protection in the third country, especially in the light of the Schrems II judgment.

85. Following the Schrems II ruling, in which the CJEU reminds that the protection granted to personal data in the EU must travel with the data wherever it goes, the EDPB has already adopted initial recommendations on supplementary measures52 to assist exporters, where required, in ensuring that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU.

86. According to the CJEU, data exporters are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the data importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools53. Where this is the case, data exporters should implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law.

87. The EDPB invites the European Commission, in order to ensure continuity of protection, to

introduce in the draft decision reassurances that when the transfer tools provided in Articles 46 and 47 UK GPDR are used by data exporters in the UK for onward transfers to other third countries of EEA transferred data, these data exporters assess on a case-by-case basis, the data protection framework of the third country; and if necessary, take appropriate measures to ensure the effective respect of the safeguards contained in the chosen transfer tool to ensure an essentially equivalent level of protection to that guaranteed within the EU. Without these reassurances, the EDPB stresses that that there is a risk that the essentially equivalent level of protection to the one guaranteed within the EU, will be watered down through onward transfers taking place from the UK.

88. The fourth challenge relating to onward transfers concerns the international agreements concluded, or to be concluded in the future by the UK and the possible direct access, by authorities from third country(ies) party(ies) to such agreements, to personal data from the EEA. Indeed, the EDPB has strong concerns in relation to the already concluded UK-US CLOUD Act Agreement and the European Commission acknowledges this challenge, stressing that “a possible entry into force of the Agreement may impact the level of protection assessed in this Decision”54. Indeed, based on this agreement, once it enters into force, personal data transferred from the EEA to the UK under the draft decision would then be subject to the provisions of this agreement laying down conditions for direct access by US authorities, impacting the UK Data Protection Framework, including the provisions on onward transfers. As a result, the level of protection provided to the data transferred from the EEA may be

52 See EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, adopted on 10 November 2020, which are currently under finalisation following public consultation, https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymea surestransferstools_en.pdf. 53 See Schrems II, para. 134. 54 See recital 153 of the draft decision.