UK EU Adequacy Ruling Could Falter After Law Changes, Parliamentary Researchers Say
The European Commission's adequacy decision permitting data flows from Europe to the U.K. expires June 27 and there are concerns about U.K. legislative reforms to data protection rules, a March Parliamentary Research Services memo said.
Sign up for a free preview to unlock the rest of this article
Under the General Data Protection Regulation (GDPR), companies can transfer personal data from the EU/European Economic Area to a third country only if the EC determines that the third country has an essentially equivalent level of data protection to that of the EU, the memo noted. Without an adequacy decision, businesses would have to use alternative transfer mechanisms, such as standard contractual clauses, it said.
A Novermber 2020 study estimated that "inadequacy" would cost the U.K. around £1-1.6 billion ($1.3-2.1 billion), making data transfers between the U.K. and EU more complex and expensive for businesses, the memo said.
The GDPR requires the EC to review the relevant U.K. legislation and how it's implemented, including data protection rules, law enforcement acts and national security laws, the memo said. One pending measure is the Data (Use and Access) Bill, which is intended to reform the country's data protection and privacy framework to boost economic growth and modern digital government, and to clarify existing legislation that hampers safe development and deployment of some technologies, it said.
Provisions facilitating the flow and use of personal data for law enforcement and national security seek to cut out unnecessary complexity and processes and reduce differences across the data processing regimes, the memo said. However, digital rights advocates believe several provisions raise new or deepen existing adequacy concerns. These include: (1) Removal of protections around automated decision-making. (2) Less transparency, particularly in the area of AI. (3) Less accountability over how data is shared and accessed for law enforcement activities.
Another concern, the memo said, is the U.K. Investigatory Powers (Amendment) Act, which was enacted to help intelligence services keep pace with threats such as terrorism and child abuse in the face of accelerating technological developments. The measure governs the interception of communications, retention and acquisition of communication data and data retention.
A 2024 amendment, however, prompted concerns, still relevant, from digital rights groups, organizations and the tech industry, the memo said. Among these is a new provision introducing an ambiguously defined category of bulk personal data "with low or no reasonable expectation of privacy," which intelligence services may obtain without specific judicial approval.