Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Parliament urges Commission to review UK adequacy – analysis, impact, and next steps

The European Parliament adopted, on 21 May 2021, a resolution1, with 344 in favour, 311 against, and 28 abstaining, urging the European Commission to review its two draft adequacy decisions with respect to the United Kingdom. In particular, the Members of the European Parliament ('MEP') outlined that the two implementing decisions were not consistent with EU law, and if the Commission were to adopt them without having addressed all of the concerns expressed in the resolution, it would be going beyond the implementing powers conferred upon it by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680) ('the Law Enforcement Directive'). In this Insight, our legal experts explore Parliament's findings in the resolution and what the potential impact could be on UK adequacy going forward.

MicroStockHub / Signature collection / istockphoto.com

Background – Brexit, trade agreement, and response to Commission's draft decisions

Articles 45(3) of the GDPR and Article 36(3) of the Law Enforcement Directive grant the Commission the power to decide, by means of an implementing act, that a third country (i.e. a non-EU country) ensures 'an adequate level of protection', i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. If a third country is found to be 'adequate', transfers of personal data from the EU to the respective third country can take place without being subject to any further conditions.

Following the end of the Brexit transitional period, the UK became a third country within the meaning of the GDPR and the Law Enforcement Directive, meaning that the free and unconditional flow of data from the EU to the UK became contingent on a positive adequacy decision from the European Commission.

However, EU-UK data flows have nonetheless been able to continue, thanks to a provision in the EU-UK Trade and Cooperation Agreement ('the Trade Agreement'), enabling 'the continued free flow of personal data from the EU and EEA EFTA States to the UK until adequacy decisions are adopted, and for no longer than six months.'

The process towards UK adequacy formally began on 19 February 2021, with the Commission issuing two draft adequacy decisions, one with respect to the GDPR and the other regarding the Law Enforcement Directive. In particular, the Commission reviewed the UK's law and practice on personal data protection, including the rules on access to data by public authorities, and concluded that the UK ensures an essentially equivalent level of protection to the one guaranteed under both the GDPR and the Law Enforcement Directive.

Notably, the Commission referenced the fact that, prior to Brexit, the UK was subject to the EU data protection legal framework, which, it noted, is now broadly mirrored by the UK's data protection with the creation of the UK GDPR.

Nonetheless, the Civil Liberties, Justice and Home Affairs ('LIBE') Committee of the European Parliament has expressed 'strong doubts as to whether [the six month transitional period] will provide the required level of protection to the personal data transferred to the UK.'2  Furthermore, the European Parliamentary Research Service ('EPRS') issued, on 9 April 2021, an in-depth analysis report on EU-UK private-sector data flows after Brexit, including a section entitled "Doubts regarding UK data adequacy'3, which outlines concerns regarding:

  • UK surveillance laws and practices;
  • the implementation of EU data protection standards linked to the immigration exemption and the Digital Economy Act 2017;
  • the enforcement of data protection rules by the UK Information Commissioner's Office ('ICO');
  • the onward transfer of data; and
  • commitments to EU data protection standards.

Just over a month after the EPPRS report, the European Data Protection Board ('EDPB') issued opinions on the draft adequacy decisions.4

With respect to the GDPR decision, the EDPB highlighted that many aspects of the UK framework are essentially equivalent, however outlined a number of areas that should be further assessed and/or monitored by the Commission, including:

  • possible future divergences creating risks for the maintenance of the level of protection provided to personal data transferred from the EU;
  • the 'immigration exemption,' which the EDPB calls on the Commission to provide further information on, particularly in relation to its necessity and proportionality;
  • the possibility of amending and/or suspending the adequacy decision if the adequacy decision is not maintained in order to introduce specific safeguards for data transferred from the EEA;
  • the interplay between the UK data protection framework and its international agreements;
  • the scenarios for which a lawful interception without approval by the Investigatory Powers Commissioner or the Judicial Commissioners are possible;
  • bulk interceptions, in particular the selection and application of the selectors; and
  • the overall safeguards provided under UK law when it comes to overseas disclosure, specifically in light of the application of national security exemptions.

The resolution

A tale of two motions

Against this backdrop, two separate motions were addressed by Parliament.

The MEPs first voted on a motion5 ('the EEP/ECR Motion') presented by the European People's Party Group ('EEP Group') and the European Conservatives and Reformists ('ECR Group'), which stated that the UK data protection regime provided an adequate level of protection to that provided under EU law and therefore called on the Commission to adopt its two draft implementing decisions with positive adequacy findings.

Notably, the EEP/ECR motion highlighted that the UK has incorporated all provisions of the GDPR into its national law, that the national legislation transposing the Law Enforcement Directive continues to apply, and that the UK is a signatory to the ECHR and Convention 108+. However, the EEP/ECR motion contended that that cross-border data flows are crucially important for economic development and innovation, and that this is even more true following the COVID-19 pandemic and the focusing of EU and national recovery funds on the digital transition.

The MEPs voted on the EEP/ECR motion on 20 May 2021, rejecting it, with 335 in favour, 350 against, and 8 abstaining.

The following day, the MEPs voted on the motion presented by the LIBE Committee.

Key points from the resolution

The resolution recognises that the UK data protection regime is similar to that of the EU, but raises a number of concerns in relation to implementation, specifically with regards to alleged enforcement shortcomings, the onward transfer of data in relation to a number of UK policies, and the lack of limitations on the use of UK bulk data powers. Therefore, the resolution requests that the Commission modify its draft adequacy decisions to bring them in line with the latest EU court rulings and respond to concerns raised by the EDPB in its recent opinions. In addition, the resolution states that, if the implementing decisions are adopted without changes, national data protection authorities should suspend transfers of personal data to the UK when indiscriminate access to personal data is possible.

The 'immigration exception'

The resolution highlights that UK data protection law contains a derogation from certain aspects of the fundamental data protection rights and principles, such as the right of access and the right of a data subject to know with whom their data has been shared, if such protection would 'prejudice effective immigration control'. In addition, the resolution notes that this exemption now applies to EU citizens who reside, or plan to reside, in the UK and expresses concern that the exemption removes key opportunities for accountability and remedies, which undermine the adequacy of the UK's data protection regime. The resolution outlines that the Data Protection Act, 2018 needs to be amended before a valid adequacy decision can be issued, and calls on the Commission to seek the removal of the immigration exemption, or to ensure that it is reformed so that the exemption and its use provide sufficient safeguards for data subjects and do not breach the standards expected of a third country.

In relation to the 'immigration exception' and its effect on a UK adequacy decision, Jimmy Orucevic, Data Protection Consultant at KMPG Switzerland, highlighted, "The fact that the Court of Appeal yesterday has unanimously found that the UK immigration exemption is incompatible with Article 23 of the GDPR certainly does not help with regards to adequacy."

Surveillance powers

Additionally, the resolutions criticise the alleged failure to take account of the lack of limitations on the use of UK bulk data powers. In particular, the resolution outlines that mass surveillance of communications content and metadata takes place regardless of whether there are any specific suspicions or any target data specifically. More specifically, the resolution points to:

  • the oversight over the use of the national security exemption in UK data protection law;
  • the limitations on the use of UK bulk powers as required by the Court of Justice of the European Union ('CJEU');
  • the description of 'secondary data' (metadata) ;
  • the data sharing practices of the Five Eyes agencies, in particular GCHQ and the National Security Agency (NSA).

In view of the above, the resolution calls on Member States to enter into no-spying agreements with the UK and calls on the Commission to use its exchanges with its UK counterparts to convey the message that, if UK surveillance laws and practices are not amended, the only feasible option to facilitate the adequacy decisions would be the conclusion of 'no-spying' agreements with the Member States.

In relation to this aspect of the resolution and the UK's data protection regime, Marton Domokos, Senior Counsel at CMS Cameron McKenna Nabarro Olswang LLP, drew attention to a recent judgment handed down by the European Court of Human Rights ('ECtHR'), highlighting, "It is worth noting, in this context that very recently the ECtHR found in judgment Big Brother Watch and Others  vs. the United Kingdom (handed down on 25 May 2021) that the UK's mass interception program breached people's rights to privacy and freedom of expression. This is in line with what the Parliament expressed in the resolution, and what Parliament and the EDPB already noted in connection with the US., e.g. [in relation to] the Foreign Intelligence Surveillance Act of 1978 ('FISA'). Therefore, such issues will likely be pressed by Parliament.'

Third countries and onward transfers

The resolution expresses concern over a number of issues regarding UK law and policy with respect to data transfers. In particular, the resolution contends that UK rules on the sharing of personal data under the Digital Economy Act 2017 and on onward transfers of research data are not 'essentially equivalent' to the rules set out in the GDPR, as interpreted by the CJEU. Additionally, the resolution highlights that the UK has granted itself the right to declare that other third countries or territories provide adequate data protection, irrespective of whether the third country or territory in question has been held to provide such protection by the EU, specifically noting that the UK has already declared that Gibraltar provides such protection.

The resolution expresses concern that a UK adequacy status would lead to the bypassing of the EU rules on transfers to countries or territories not deemed adequate under EU law.

In addition, the resolution outlines that the UK's application to join the Comprehensive and Progressive Trans-Pacific Partnership '(CPTPP') could have implications for data flow to countries that do not have an adequacy decision from the EU.

Next steps for authorities

As clarified by our legal experts in our recent article EU: Analysing Parliament's Schrems II resolution - impact on SCCs, enforcement, adequacy and more, resolutions of Parliament are not binding on the Commission.

Dr. Carlo Piltz, Partner at reuschlaw Legal Consultants, clarified: "Now that the Parliament has spoken out against the adequacy decision in its current form, it should be noted that the Parliament only has a right of scrutiny in the procedure. It has the possibility to give a notification to the Commission if European law is violated. This is regulated in Article 11 of Regulation No. 182/2011. The consequence of such a resolution is also stipulated there: 'In such a case, the Commission shall review the draft implementing act, taking account of the positions expressed, and shall inform the Parliament and the Council whether it intends to maintain, amend or withdraw the draft implementing act.'

Thus, pursuant to Article 11, the Commission is now obliged to address the objections of the Parliament […] What is more important now is the decision of the committee according to the comitology procedure, which is regulated in Article 5 of Regulation No. 182/2011. This committee is composed of representatives of the Member States and must deliver an opinion on the Commission's draft. According to Article 5(2), where the committee delivers a positive opinion, the Commission shall adopt the draft implementing act. But according to Article 5(3), if the committee delivers a negative opinion, the Commission shall not adopt the draft implementing act."

In addition, the resolution requests that national data protection authorities suspend the transfer of personal data, which might be subject to indiscriminate access by UK intelligence authorities if the Commission were to adopt its adequacy decisions in relation to the UK before the UK addresses the issues mentioned above.

On this, Domokos told OneTrust DataGuidance, "This shows the extreme importance Parliament places on law enforcement authorities' bulk access to personal data. The CJEU has previously in October 2020 rejected the possibility of general indiscriminate access by governments or law enforcement authorities (Case C-623/17 and Joint Cases C-511/18, C-512/18, C-513/18), and it seems Parliament supports this notion. Undeniably this puts UK and EU data protection authorities under pressure, particularly because data transfers cannot, in practice, be brought to a standstill, as it would have serious consequences."

Next steps for businesses

The end of the interim period providing for the free flow of data from the EU and the UK is set for 30 June 2021.

With that deadline in mind, Orucevic elucidated on what the resolution could mean for businesses: ''Only considering the legal perspective, one could very well argue that the United Kingdom should not receive the adequacy decision […] However, I think that political and economic considerations will also play a role in the decision, since no adequacy for the UK would have a range of economic implications (e.g. increased risk of GDPR fines, reduction EU-UK trade, reduced investment, relocation of business functions). Since the transition period soon will come to an end, I would recommend companies prepare for the 'worst' though."

In addition, Domokos noted that, "businesses should definitely be vigilant and have 'backup methods' for that scenario, e.g. the upcoming new SCCs, individually negotiated SCCs as per Article 46 (3)(a) of the GDPR, or Binding Corporate Rules."

Alexis Galanis Privacy Analyst
[email protected]

Comments provided by:

Jimmy Orucevic Data Protection & Privacy Consultant
[email protected]
KPMG, Switzerland

Márton Domokos Senior Counsel
[email protected]
CMS Cameron McKenna Nabarro Olswang LLP, Budapest

Dr. Carlo Piltz Partner
[email protected]
reuschlaw Legal Consultants, Berlin


1. Available at: https://www.europarl.europa.eu/doceo/document/TA-9-2021-0262_EN.html
2.. See: https://www.europarl.europa.eu/doceo/document/LIBE-AL-680848_EN.pdf
3. Available at: https://www.europarl.europa.eu/RegData/etudes/IDAN/2021/690536/EPRS_IDA(2021)690536_EN.pdf
4. Available at: https://edpb.europa.eu/our-work-tools/general-guidance/other-guidance-and-information-notes_en
5. Available at: https://www.europarl.europa.eu/doceo/document/B-9-2021-0272_EN.html