The UK risks throwing away the possibility of a data adequacy agreement ensuring the free flow of personal data between the UK and the European Union (EU) after the Brexit transition period ends, if it cannot be proved that there are sufficient safeguards included in the UK-US agreement on data access for criminal investigations to comply with EU standards.
This is the preliminary judgment of the European Data Protection Board (EDPB), which today clarified its position in a letter to MEPs circulated by EDPB chair Andrea Jelinek, and seen by Computer Weekly.
“The EDPB considers that the agreement concluded between the UK and the US will have to be taken into account by the European Commission [EC] in its overall assessment of the level of protection of personal data in the UK, in particular as regards the requirement to ensure continuity of protection in case of ‘onward transfers’ from the UK to another third country,” said Jelinek in her letter.
Jelinek said that with regard to the compatibility of the potential agreement with the EU acquis in the field of data protection – particularly with regard to the General Data Protection Regulation(GDPR) and Law Enforcement Directive (LED) – the levels of personal data protection, including conditions for access to personal data, must be ensured consistently throughout the EU.
Although this is still a preliminary assessment by the EDPB, Jelinek said the board had doubts as to whether the safeguards in the Brexit withdrawal agreement for access to personal data in the UK would necessarily apply in the case of disclosure obligation to digital platforms operating from within the US, regardless of whether or not the data was held there, and whether they would apply to requests made under the US Cloud Act.
Given that the EC is already negotiating its own agreement with the US to allow law enforcement agencies access to electronic evidence held in each other’s jurisdiction, Jelinek stressed that any agreement reached “must prevail over US domestic laws” and include adequate data protection safeguards for EU citizens.
“This notably includes ensuring the continuity of data protection in case of onward sharing and onward transfers,” she said. “In this context, the EDPB wishes to repeat its call for further improvements to the level of safeguards established by the EU-US Umbrella Agreement, for instance as regards the availability of judicial redress.”
Jelinek said it was also essential for the safeguards to include mandatory prior judicial authorisation as a guarantee for access to data, and noted that a preliminary assessment had failed to identify any clear provision in this regard in the UK-US agreement.
“Should the European Commission present…
Oracle and Salesforce sued over online ad tracking
Oracle and Salesforce face precedent-setting class action lawsuits in Dutch, English and W…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
