A letter sent by member of European Parliament Paul Tang, seen by Euractiv, raises questions regarding the potential effects of the UK’s Data Protection Bill on the EU’s General Data Protection Regulation (GDPR).
The letter, dated 22 February, states that the UK’s Data Protection and Digital Information Bill would weaken the protection of the GDPR and the protection of EU citizens.
“The soon-to-be-voted Data Protection & Digital Information Bill (DPDI), which is the UK Government’s attempt to replace GDPR, risks violating the Trade and Cooperation Agreement and the rights of EU and UK citizens”, the letter reads.
As Euractiv reported last year, London’s proposed overhaul of its version of the GDPR has garnered interest in Brussels due to its potential impact on the EU-UK data adequacy agreement established in 2019.
This agreement facilitates continuous data transfers between the EU and the UK, resulting in concerns over the restructuring of current laws and that EU citizens’ data could be shared with third parties who do not meet Brussels’ data protection criteria.
“Not only is it eliminating the Biometrics and Surveillance Camera Commissioner, but it also allows indefinite retention of certain biometric data by UK law enforcement”, Tang wrote about the bill in his letter to the Commission, adding that “the DPDI undermines safeguards set by the European Court of Human Rights, potentially jeopardising law enforcement cooperation frameworks like Prüm II and the Law Enforcement Directive”.
Prüm II allows for automated data exchange for police cooperation and was proposed by the EU Commission in December 2021 under the legislative package on the EU Police Cooperation Code to address issues related to police cooperation concerning criminal investigations. The reform is a proposed update to the Prüm Framework, which came to life in 2005.
Questions
Tang had three questions for the Commission, one of them being about Prüm:
“Has the Commission considered the consequences that these provisions may have on law enforcement cooperation between the EU and the UK, for instance, within the Prüm I and Prüm II Framework or against the UK adequacy decision adopted under the Law Enforcement Directive?”
Another query from the MEP pertained to whether the Commission had evaluated the effects of the DPDI provisions on the protection of biometric data of European citizens under the GDPR and their compatibility with the European Court of Human Rights (ECtHR) ruling in S and Marper vs. UK.
The case of S and Marper vs. UK in 2008, determined by the ECtHR, established that retaining DNA samples of individuals arrested but subsequently acquitted or having charges dropped constitutes a breach of the right to privacy outlined in the European Convention on Human Rights.
The third question was: “Does the Commission intend to annul the adequacy decision granting a free data flow between the EU and the UK once this bill is adopted?”
Others also concerned
During a debate last April, members of the UK parliament expressed concerns raised by British businesses and researchers regarding the potential jeopardy of data adequacy about the bill.
Julia Lopez, the minister of state for the Department of Culture, Media and Sport, said at the time that the UK had been in “constant contact” with the Commission throughout the proposal’s development.
“We are worried about changes to fundamental principles, including the meaning of personal data, uses of data for scientific research and impact assessments”, Colette Collins-Walsh, head of UK affairs at the 5Rights Foundation, told Euractiv.
“We are extremely concerned about the status of the Age Appropriate Design code and children’s personal data”, she added, also saying that “Although the major loss will be felt to those residing in the UK, given the huge amount of people, commerce and data that flows between the EU and the UK any change to the UK regime will always impact EU citizens.”
The problem with transfers arises because Gibraltar meets the UK’s requirements but not the EU’s. “This type of issue is going to create problems for transfers if the DPDI Bill is enacted”, Chris Pounder, co-founder and director at the Amberhawk Training Limited, told Euractiv.
Pounder also pointed out other problems to Euractiv, such as that the DPDI could undermine regulatory independence. According to him, the definition of personal data in the UK bill results in non-compliance with Convention 108 of the Council of Europe, which is the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
Euractiv reached out to the European Commission for a comment but it said that the letter was not yet received – a possibility as the Parliament sometimes needs some time to do a legal check before officially sending such a letter.
However, Euractiv learned that the questions were officially tabled.
[Edited by Alice Taylor]