Although the EDPB notes the capacity of the UK, under its legal framework, to recognise territories as providing an adequate level of data protection in light of the UK data protection framework, the EDPB wishes to highlight that these territories might not benefit to date from an adequacy decision issued by the European Commission and ensure a level of protection “essentially equivalent” to that guaranteed in the EEA. This might lead to possible risks in the protection provided to personal data transferred from the EEA especially if, in the future, the UK data protection framework deviates from the EU acquis. In addition, the UK has already recognised as adequate the third countries that enjoy an adequacy finding by the European Commission under Directive 95/46/EC8 while the European Commission will soon review these findings and the conclusions of this review are not yet known

Next Article

For the above situations, the European Commission should fulfil its monitoring role and in case the essentially equivalent level of protection of personal data transferred from the EEA is not maintained, the European Commission should consider amending the adequacy decision to introduce specific safeguards for data transferred from the EEA and/or to suspend the adequacy decision

proportionality of the immigration exemption, in particular having regard to the broad scope of application ratione personae.

75. At the same time, the EDPB invites the European Commission to further explore whether

additional safeguards exist in the UK legal framework or could be envisaged, for instance through legally binding instruments that would complement the immigration exemption enhancing its foreseeability by and the safeguards for data subjects, also allowing for a better and prompt assessment and monitoring of the necessity and proportionality requirements.

3.1.2. Restrictions on onward transfers

76. Article 44 GDPR provides that transfers and onward transfers of personal data shall only take place if the level of protection of natural persons guaranteed by the GDPR is not undermined. Therefore, personal data transferred from the EEA to the UK based on the adequacy decision shall enjoy an essentially equivalent level of protection to the one provided under the EU data protection framework. This means that not only the UK legislation shall be “essentially equivalent” to the EU

legislation with regard to the processing of personal data transferred to the UK under the draft decision, but also that the rules applicable in the UK with regard to the onward transfer of those data to third countries shall ensure that an essentially equivalent level of protection will continue to be provided.

77. As a result, it is important that any onward transfer from the UK to another third country of personal data from the EEA is properly protected with safeguards, or is carried out in accordance with the rules on derogations44 to ensure the continuity of protection afforded by the EU legislation. Indeed,

if no such protection can be provided, onward transfers of EEA personal data should not take place.

78. The EDPB recognises that the UK has mirrored, for the most part, Chapter V GDPR in the UK GDPR (Articles 44-49) and in the DPA 201845 . However, the EDPB has identified certain aspects of the UK

legislative framework with regard to onward transfers that might undermine the level of protection of personal data transferred from the EEA.

79. The first challenge the EDPB has identified relates to the recognition by the UK, following the procedure as elaborated in the DPA 2018, of third countries, international organisations or territories46 as adequate recipients. Indeed, onward transfers of EEA personal data may occur from the UK to other third countries, on the basis of a future possible UK adequacy regulation47 .

80. More specifically, as explained in recital 77 of the draft decision, the UK Secretary of State has the power to recognise a third country (or a territory or a sector within a third country), an international organisation, or a description of such a country, territory, sector, or organisation as ensuring an adequate level of protection of personal data, following consultation of the ICO48 . When assessing the adequacy of the level of protection, the UK Secretary of State must consider the same elements that the European Commission is required to assess under Article 45(2)(a)-(c) GDPR, interpreted together with recital 104 GDPR and the retained EU case-law. This means that, when assessing the

44 See Article 49 UK GDPR. 45 See section 17A, 17B, 17C and 18 DPA 2018. 46 See section 17A of DPA 2018 DPA 2018. 47 The UK equivalent to an adequacy decision under the GDPR. 48 See section 182(2) DPA 2018. See also the Memorandum of Understanding on the role of the ICO in relation to new UK adequacy assessments, https://ico.org.uk/about-the-ico/news-and-events/news-andblogs/2021/03/secretary-of-state-for-the-department-for-dcms-and-the-information-commissioner-signmemorandum-of-understanding/.