First official European response to the Data Protection and Digital Information Bill

It was only after a rather agonising wait of 6 months  that, in June 2021, the Commission issued its adequacy decision (there is actually a second decision, with regard to personal data in criminal investigations under the Law Enforcement Directive, but this blog will only refer to the GDPR one).  This confirmed that the privacy regime in the UK offered an essentially equivalent level of protection for individuals’ data as that which they had in the EU.  However, that decision came with strings attached, in the form of a ‘sunset clause’ which provided that it was time-limited to four years from the date of granting (i.e. to June 2025). At the end of that period, the EU would assess whether the adequacy arrangement was functioning as intended and that nothing had changed in the intervening years to alter the UK’s ‘essentially equivalent’ status in the Commission’s eyes.  If the outcome of this review was positive, the EU would agree to extend the term of the adequacy decision.  If the Commission determined it was not working – e.g. it had been undermined for some reason – then it would be allowed to expire.

Non-renewal of the decision would be no small matter for UK businesses.  The administrative and legal costs of putting in place alternative mechanisms (including SCCs or BCRs) to cover the millions of transfers of personal data that occur every day between the EU and UK, together with the cost to the UK economy of the disruption in trade that would result from the decision not being extended, have been estimated at between £1 billion and £1.6 billion.

So, you would expect that all UK stakeholders – especially the Government – would be hyper-vigilant not to do anything to jeopardise this hard-won and precious designation, however this has not been the case.  In 2022, the Government set the cat among the pigeons  by introducing its Data Protection and Digital Information Bill (the ‘DPDI Bill’) into Parliament.  The DPDI Bill aims to streamline several of the original GDPR’s requirements, which were transposed into the UK GBPR on Brexit, to lighten the administrative burden of data protection (DP) compliance on British businesses and thereby make them more competitive.  However, the DPDI Bill, if passed in its current form, has been described by some commentators as posing a real threat to the UK’s adequacy status, due to its divergence from/dilution of certain key elements of the EU GDPR, such as the definition of personal data, the role of data protection officers (DPOs) and the independence of the privacy regulator, the Information Commissioner’s Office (ICO).  Any EU decision to renew the UK’s adequacy finding will be based not on ease of compliance with the UK GDPR, but rather its protection of data subjects’ rights and freedoms.  But it has been said that in the name of cutting ‘red tape’, the Bill erodes some of those rights and freedoms quite significantly.

Although he continues to say that he broadly supports the Bill, the Information Commissioner has recently expressed misgivings about its not specifying what types of processing constitute ‘high risk’ (an undefined term used more than once in key parts of the draft legislation), and its removal of a future-proofing power which the Commissioner had previously suggested to allow the ICO to designate further, additional processing activities as “high risk”.  The Commissioner also has reservations about the power the Bill grants to the Government’s Department of Work and Pensions to compel banks and other institutions to provide data about individuals suspected of benefits fraud.

After nearly two years, the Bill is still grinding its way through Parliament (it is currently with the House of Lords for its Second Reading).  In March of 2024, the Lords launched an inquiry by its European Affairs Committee into the UK’s adequacy decision.  This enquiry is focused on: the values of the existing adequacy regime and possible challenges to renewal of the UK’s current arrangement; the implications of any such non-renewal (or what it calls a “no or disrupted UK-EU data adequacy scenario”); and what can be learned from other countries’ experience with the adequacy system.

The European Affairs Committee’s Call for Evidence invited the views of “anyone with expertise in or experience of” data adequacy on a list of around a dozen questions concerning the adequacy finding.  On 22 April, the Committee received its first substantial official response from a European Union institution – the LIBE (Civil Liberties, Justice and Home Affairs) Committee of the European Parliament.  In a written submission to the House of Lords committee inquiry, the LIBE Committee voiced serious concerns about a number of issues that it thought could result in the withdrawal by the European Commission of the UK’s adequacy status, with all the negative consequences that would arise from such a move.

The LIBE committee’s letter started by criticising three aspects of the DPDI Bill which it considers “controversial”:

• One of the Bill’s proposals to change the definition of personal data, which specifies that pseudonymised data in the hands of a processor or other person who is not the controller of it will no longer be considered personal data.
• Undermining the independence of the ICO (which itself is to be structurally reformed), due to the Bill imposing requirements on the Commissioner when exercising their powers to protect personal data also to have regard to other interests such as promoting innovation and competition, public safety, the international agenda of the UK Government, and to follow a statement of priorities laid down by the Secretary of State.  The LIBE panel believes that such considerations are outside the Commissioner’s competence and could compromise their political neutrality.
• A power of the Secretary of State to designate other third countries or international organisations as having adequate DP laws, regardless of whether the European Commission has awarded the country or organisation adequacy status (the UK has already done this with Gibraltar, which does not have an adequacy decision from the EU).  The LIBE Committee is “strongly concerned” (it uses a variant of the word ‘concerned’ 11 times in a 10-page document) that in such cases, the UK’s adequacy status could lead to the onward transfer of EU people’s data to countries or international organisations not deemed adequate under EU law.

More generally, the European Parliament committee’s evidence has some quite impactful things to say about the ICO’s record on enforcement of the GDPR (in its EU and then post-Brexit UK forms):

‘The UK data protection supervisory authority, the ICO, is one of the largest in Europe. However, according to experts … despite having a lot of capacity and resources, ICO enforcement is currently rather weak. The LIBE Committee is concerned that such a lack of enforcement is a structural problem …  In practice, this has meant that a large number of breaches of data protection law in the UK have therefore not been remedied.’

How the UK regulator responds to such criticism will be interesting to note.

Finally, the LIBE Committee’s submission reminds the reader that the UK’s membership of the European Convention on Human Rights (ECHR), and therefore its compliance with the rulings of the European Court of Human Rights (ECtHR), were important factors in determining its adequacy.  Therefore, given the recent discussion, however speculative, among certain members of the UK’s governing party (including the Prime Minister) about the UK potentially withdrawing from the Convention and ECtHR if its Rwanda scheme is opposed by the Strasbourg court, the LIBE Committee goes on to state:

“any possible changes to the UK's Human Rights Act or the UK’s departure from ECHR jurisprudence would, in the opinion of the LIBE Committee, have a negative impact on the [sic] UK adequacy”.

But what sway does the opinion of the LIBE Committee actually have? – well, it is a well-informed and respected stakeholder group, but its assessment is by no means conclusive.  Don’t forget that it strongly objected to the UK being granted data adequacy in the first place, to no avail.

Following the Prime Minister’s recent announcement of a snap General Election, the DPDI Bill is not going to be passed before Parliament is dissolved.  If the Conservatives are re-elected on 4 July, then the Bill will continue its passage through Parliament and may be enacted in the next parliamentary session.  If there is a change of Government however, it is very unlikely that the Bill will become law in its current form, and it may be scrapped altogether.

‍