EU – EDPB adopts positive opinions on draft UK adequacy decisions and adopts final Guidelines on targeting of social media users

The EDPB adopted two opinions on the draft UK adequacy decisions in relation to data transfers based on the GDPR and the Law Enforcement Directive (the LED). The EDPB confirms the conclusions of the European Commission, in particular that given UK data protection law and practice is largely based on the EU data protection framework, it is aligned on key provisions that are crucial for the recognition of essential equivalence. However, the EDPB voiced concerns about potential future divergence of the UK system that might have an impact on these findings, and thus welcomed the European Commission proposal to limit in time the adequacy decisions. The EDPB recommends to monitor closely and assess:

• the immigration exemption and its consequences on data subject rights;
• onward transfers (of EEA personal data transferred to the UK) on the basis of derogations, future adequacy decisions adopted by the UK or international agreements concluded between the UK and third countries; and
• the UK’s surveillance regime and the challenges of redress in the areas of national security, specifically bulk interceptions, the use of automated processing tools, and safeguards in relation to overseas disclosure.

At the plenary meeting, the EDPB also adopted several other documents, including:

• final Guidelines on the targeting of social media users, which aim to clarify the roles and responsibilities of social media providers and targeted individuals. The final Guidelines have not been released at the time of this publication;
• draft Guidance on certification criteria assessment, which complements and expands the Guidelines 1/2018 on certification and identifying certification criteria. The draft Guidance provides use case scenarios for accreditation and multi-national certification, and includes assessment notes for supervisory authorities and auditors. The draft Guidance is open for public consultation until 26 May 2021 and is available here;
• draft Guidelines on the procedure and competence of the EDPB when adopting binding decisions under of Article 65(1)(a) GDPR, as well as applicable procedural safeguards and remedies. The draft Guidelines are available here; and
• a statement on international agreements that involve the international transfer of personal data. The statement calls upon EU Member States to align, with EU data protection law, international agreements that were concluded before the adoption of GDPR and LED. The statement is available here.

Finally, the EDPB discussed the state of play of the review of draft Recommendations 01/2020 on supplementary measures following the CJEU decision in Schrems II and reflected on the hearing in the European Parliament’s LIBE Committee on Schrems II and the European Commission’s GDPR evaluation report.

The press release is available here. The agenda of the plenary meeting is available here.