EU hopes to adopt UK data adequacy decisions by early June, Reynders says

The EU hopes to proceed with the adoption of the UK data and law-enforcement adequacy decisions "by the end of May, beginning of June" as it expects the bloc's privacy watchdogs to deliver their view in mid-April, EU commissioner Didier Reynders said today.

The timeline, first reported by MLex last month, was confirmed at a European Parliament committee hearing today.

"The two proposed adequacy decisions are currently being scrutinized by the European Data Protection Board, which should deliver its opinion by mid-April. After that, the process involves consultation of the member states ... We hope to be able to proceed with the final adoption of the two decisions by the college [of EU commissioners] by the end of May, beginning of June," Reynders said.

During an exchange of views with EU lawmakers, the commissioner today defended the decision to issue draft adequacy decisions, arguing that "the UK is much closer to us compared to a typical situation with other [countries outside the EU], where adequacy is a way to increase convergence between two initially rather distant systems."

"We continue to speak the same data protection language across the Channel when it comes to key concepts," he said, pointing out that the UK has "essentially incorporated — copy-pasted — the provisions of the [General Data Protection Regulation] and Law Enforcement Directive into national law."

He further pointed to the UK's participation in "important common standards" such as the Council of Europe's Convention 108 and the European Convention on Human Rights.

Future-proof

"The key challenge in this case is not so much the level of protection currently enshrined in the UK, but rather how to manage and remedy potential future regulatory divergence, or, in other words, how to ensure that the adequacy finding will be future-proof," he said. “Can we trust the UK not to lower the current level of protection?"

He further acknowledged the "skepticism" of some EU lawmakers, which "may have increased" as a result of broader trade disputes with the UK government, including a legal challenge over the Northern Ireland protocol.

But the commissioner argued that the EU's proposed approach with the adequacy decisions automatically expiring after four years and having to complete the extensive adoption process again — unlike the usual "review" clause — gives it leverage in future discussions.

"We have chosen an expiration date of four years, because it will take some time until the UK's approach to data protection will be fully developed. We can only decide whether the adequacy decisions should be renewed once we know in which direction the UK is moving," he said.

In particular, Reynders pointed to the UK's "fully autonomous regime" on international data transfers, including any agreements with the US, and potential changes to domestic regulations as critical areas to be monitored by Brussels.

"By including that time limitation, we make clear to the UK that problematic divergences will have consequences, and will have a cost," Reynders said. The commission will "not hesitate to take action if it's revealed that the standard is no longer fulfilled" even at an earlier stage, including suspension or withdrawal of the adequacy.

The post-Brexit divergence will be overseen by a new information commissioner after the UK government began its search for the successor to Elizabeth Denham as her term expires in October.

Senior UK officials said that the new head of the data protection authority would be asked to "help and advise business on how to comply with data protection laws, while minimizing regulatory burdens".

Hostile lawmakers

The commission's plan was met with hostile reactions from EU lawmakers, who repeatedly voiced concern about the UK's compliance with the GDPR, including the country's surveillance and bulk data collection regime, immigration exemption to data protection legislation, and the criminal-justice cooperation agreement with the US.

"The adequacy decision looks very much to me like a political decision ... I think what is happening here is not the presumption of compliance by the UK; it's the pretense of compliance, and we are fooling our citizens," said Dutch parliamentarian Sophie in 't Veld.

"You said: can we trust the UK in general terms? No, I don't think we can trust the UK, because they're breaching the [Brexit] agreement the whole time," she said.

Patrick Breyer, a German lawmaker, warned that the commission needs to "insist the UK surveillance law is amended or else you will fail in court," warning that would create "a lot of uncertainty for citizens and businesses alike."

"The [EU Court of Justice] has repeatedly overturned the commission's view that the US intelligence agencies, mass surveillance powers, and programs are in line with fundamental rights. I can't believe that the commission is again about to defend this kind of gross violations of our fundamental rights, [this time] regarding the UK," he said.

UK lawmakers were told last year that it was "very likely, if not certain" that a legal challenge would be mounted as soon as the decisions get formally adopted, which remains the consensus view among privacy experts (see here).