European Data Protection Board - 48th Plenary Session

14 April 2021 EDPB

Opinions on draft UK adequacy decisions, Guidelines on the application of Article 65(1)(a) GDPR, Guidelines on the targeting of social media users and Statement on international agreements including transfers

During its plenary session, the EDPB adopted two Opinions on the draft UK adequacy decisions. Opinion 14/2021 is based on the GDPR and assesses both general data protection aspects and government access to personal data transferred from the EEA for the purposes of law enforcement and national security included in the draft adequacy decision. This assessment is based on the GDPR Adequacy Referential WP254. Opinion 15/2021 is based on the Law Enforcement Directive (LED) and analyses the draft adequacy decision in the light of Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive, as well as the relevant case law reflected in Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. This is the first draft implementing decision on a third country’s adequacy under the LED ever presented by the European Commission and assessed by the EDPB.

The EDPB notes that there are key areas of strong alignment between the EU and the UK data protection frameworks on certain core provisions such as: grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling.

EDPB Chair, Andrea Jelinek said: "The UK data protection framework is largely based on the EU data protection framework. The UK Data Protection Act 2018 further specifies the application of the GDPR in UK law, in addition to transposing the LED, as well as granting powers and imposing duties on the national data protection supervisory authority, the ICO. Therefore, the EDPB recognises that the UK has mirrored, for the most part, the GDPR and LED in its data protection framework and when analysing its law and practice, the EDPB identified many aspects to be essentially equivalent. However, whilst laws can evolve, this alignment should be maintained. So we welcome the Commission's decision to limit the granted adequacy in time and the intention to closely monitor developments in the UK.”

The EDPB underlines that several items should be further assessed and/or closely monitored by the European Commission in its decision based on the GDPR, such as:

Immigration Exemption and its consequences on restrictions on data subject rights;
The application of restrictions to onward transfers of EEA personal data transferred to the UK, on the basis of, for instance, future adequacy decisions adopted by the UK, international agreements concluded between the UK and third countries, or derogations.

Regarding access by public authorities for national security purposes to personal data transferred to the UK, the EDPB welcomes the establishment of the Investigatory Powers Tribunal (IPT) to address the challenges of redress in the area of national security, and the introduction of Judicial Commissioners in the Investigatory Powers Act (IPA) 2016 to ensure better oversight in that same field. The EDPB still identifies a number of points requiring further clarifications and/or monitoring:

Bulk interceptions;
Independent assessment and oversight of the use of automated processing tools;
Safeguards provided under UK law when it comes to overseas disclosure, in particular in light of the application of national security exemptions.

The Board adopted Guidelines on the application of Article 65(1)(a) GDPR to delineate the main stages of the procedure and clarify the competence of the EDPB when adopting a legally binding decision on the basis of Article 65(1)(a) GDPR. The Guidelines also include a description of the applicable procedural safeguards and remedies. The guidelines will be subject to public consultation for a period of six weeks.

The EDPB adopted a final version of the Guidelines on the targeting of social media users following public consultation. The aim of the Guidelines is to clarify the roles and responsibilities of social media providers and targeted individuals. The final version integrates updated wording in order to address comments and feedback received during the public consultation.

The EDPB adopted a Statement on international agreements including transfers. The EDPB invites EU Member States to assess and, where necessary, review their international agreements that involve international transfers of personal data and which were concluded before 24 May 2016 (for those relevant to the GDPR) and 6 May 2016 (for those relevant to the LED) to align them, where necessary, with EU data protection law.

The agenda of the forty-eighth plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2021_03

European Data Protection Board - 48th Plenary Session

Luxembourg’s supervisory authority CNPD has published 18 decisions on the outcome of investigations

Dutch DPA: CP&A receives fine for violating privacy of sick employees

EDPB Annual Report 2020: Ensuring data protection rights in a changing world

EDPB Plenary - adopted documents

EDPB adopts opinions on first transnational codes of conduct, Statement on Data Governance Act, Recommendations on the legal basis for the storage of credit card data.