UK Data Use Bill Passes; Some Worry Britain Could Lose EC Adequacy Status

In a recent letter to Michael McGrath, European commissioner for democracy, justice, the rule of law and consumer protection, eight civil society groups urged the EC to quickly review the U.K.'s adequacy status in light of DUA and other expected legislative changes.

"There is a substantive risk" that the UK's adequacy "could be struck down by the Court of Justice of the European Union if the UK's current data protection framework continues to be degraded," the groups' letter said. A judicial invalidation of adequacy would also disrupt key areas of EU-U.K. cooperation, damaging efforts to strengthen ties, they added.

European Digital Rights, Privacy International, Statewatch, Electronic Frontier Norway, Access Now, Politiscope, IT-Pol Denmark and Deutsche Vereinigung fur Datenschutz signed the letter.

However, DUA is just one area concerning the eight groups, according to their letter. The U.K. is also considering a Border Security, Asylum and Immigration Bill that would, the letter said, compel the sharing of border control and customs data with U.K. intelligence agencies. Similarly, the Public Authorities (Fraud, Error and Recovery) Bill would enable U.K. government ministers to force banks to hand over information about people's accounts.

In addition, there are concerns about the continuing independence of the kingdom's Information Commissioner's Office, since the U.K. Data Bill would allow the government to appoint, dismiss and set salaries for all the members of the ICO board, the groups wrote.

Encryption Removal, Facial Recognition Key Issues

Other key issues are reforms to Britain's Investigatory Powers Act 2016, which allow the government to compel telecom providers to undermine data security by requiring them to remove encryption, and the order that Apple provide the ability to remove encryption at the government's request, the organizations said (see 2506050051).

Another worry is that British police are trialing or using live facial recognition technology without clear authorization, the letter said.

DUA "seeks to balance the need for flexibility in data processing with robust safeguards for personal data, reflecting the evolving digital landscape and the increasing importance of data-driven technologies," Hunton data privacy lawyers Sarah Pearce and Ashley Webber wrote Monday in a legal update.

The U.K. government believes DUA changes will be well-received by the EC when it reviews its adequacy decision, the attorneys continued. The EC extended the U.K.'s adequacy until December to allow the government more time to finalize DUA (see 2505060001).

The DUA approach to international data transfers has "attracted significant attention, particularly its potential impact on the UK's data adequacy status with the EU," TaylorWessing data protection attorney Miles Harmsworth noted in a June 4 article.

At its core, the bill "proposes a subtle change to the way in which a country's adequacy should be assessed for the purposes of data transfers," Harmsworth wrote. Under DUA, the Secretary of State will be able to use a data-protection test to determine whether a destination country's data-protection standard is "not materially lower" than the U.K.'s.

Currently, Harmsworth noted, U.K. and EU law mirror each other on this issue. Under EU law, the destination country must offer "essentially equivalent" protections to those that GDPR provides.

The U.K. "remains adamant" that DUA not jeopardize its EU adequacy status, Harmsworth said. However, he added, the balance could be tipped not by DUA but by the Investigatory Powers Act and the U.K. government's dispute with Apple over encryption (see 2503130014).

The EC "is particularly sensitive to how the UK manages security and intelligence agency access to personal data, especially considering that previous EU-US data transfer frameworks were invalidated primarily due to surveillance concerns," Harmsworth added.