In a resolution adopted on 21 May 2021 with a narrow majority of 344 against 311 votes, the European Parliament found that the European Commission’s assessment of the UK data protection law and practice is incomplete and inconsistent with the CJEU’s requirements for adequacy decisions. In February 2021, the Commission tabled two drafts for adequacy decisions (→ eucrim 1/2021, 7). They confirm the UK having an equivalent level of data protection to that of the EU – a precondition for future transfers of personal data both between private entities and between law enforcement authorities in accordance with the GDPR and Directive 2016/680. MEPs call on the Commission to address the concerns raised in the resolution and to amend the draft implementing decisions. The resolution mainly raises the following concerns:

• Lack and often non-existent enforcement of the GDPR by the UK when it was an EU Member State;
• Too broad exceptions from fundamental data protection rights, in particular in immigration law and for purposes of national security;
• No sufficient reaction by the UK yet as regards the use of mass surveillance data;
• Insufficient adequacy status as regards onward transfers, which can lead to the bypassing of the EU rules on data transfers to countries or territories not deemed adequate under EU law;
• Persistent concerns over UK’s data retention regime.

MEPs call on national authorities to suspend data transfers to the UK if guarantees are not included. If necessary, the Member States must conclude no-spy agreements with the UK. MEPs also share the opinions by the European Data Protection Board (EDPB) of April 2021 that identified deficiencies in the draft adequacy decisions and required further improvements.