Brexit update: UK-EU data transfers in anticipation of an adequacy decision
On 19th February 2021 the European Commission published two draft adequacy decisions for transfers of personal data from the European Union to the United Kingdom (one under the General Data Protection Regulation (GDPR) and one under the Law Enforcement Directive (LED)).
The publication of the two draft adequacy decisions was the result of months of assessment of UK law and regulation regarding personal data by the European Commission, and the Commission’s conclusion that the UK’s domestic data protection framework guarantees an essentially equivalent level of data protection to that provided by the GDPR and the LED.
If approved, this would allow for personal data to continue to be transferred between the UK and the EU for both commercial and law enforcement purposes.
The draft adequacy decisions will now be reviewed by the European Data Protection Board (EDPB) and representatives of EU Member States before the European Commission is then given the opportunity to formally adopt them.
Why is adequacy important?
Following Brexit (i.e. the UK withdrawing from the European Union on January 31st 2020) and the end of the Brexit transition period (on 31st December 2020) the UK is now a “third country” for the purposes of the GDPR (i.e. a country that is not an EU Member State). As part of the UK-EU post-Brexit Trade and Cooperation Agreement, both sides agreed to treat the UK de facto as an EU Member State for the purposes of data transfers for a period (i.e., up to 6 months). Following the expiration of this additional period, data transfers from the EU to the UK will be prohibited unless the GDPR rules on data transfers are observed.
The GDPR provides that transfers of personal data from within the EU to third countries (i.e. transfers to outside the EU) are generally prohibited unless certain conditions regarding the protection of personal data are met. (Art.44 GDPR)
Significantly, as per Chapter 5 of the GDPR, transfers of personal data from the EU to the UK will only be permissible if one of the following criteria are met:
- The UK is deemed to have an “adequate” system of law and regulation for the protection of personal data that provides “essentially equivalent” standard of protection to the GDPR, and is formally accepted as an “adequate” third country by the European Commission (i.e. the UK is given an “adequacy decision”. (Art.45 GDPR)
- Recipient data controllers in the UK have established “appropriate safeguards” for any personal data received from the EU. For instance, transfers of personal data from the EU to the UK might be undertaken on the basis of binding corporate rules (BCRs) or standard contractual clauses (SCCs) issued by the European Commission which guarantee compliance with the substantive terms of the GDPR. (Art.46 GDPR)
- A derogation to the GDPR’s general international transfer restriction applies. For instance, where the transfer is necessary for the performance of a contract. (Art.49 GDPR)
The first of these three options would be by far the most advantageous and uncomplicated way forward. The adoption of an adequacy decision for the UK would create legal certainty and allow personal data to continue to flow between the EU and the UK without the need for any additional requirements or transfer mechanisms. The European Commission has already granted adequacy decisions to a range of non-EU countries, such as Japan, New Zealand, Switzerland and Uruguay, and negotiations are ongoing with South Korea.
The alternative, making transfers based on “appropriate safeguards”, would not be an optimum solution for many UK-based firms whose business involves or relies on transfers of data with the EU. BCRs require regulatory approval and can be extremely resource-intensive to construct and maintain. SCCs are unwieldy and inflexible and cannot be changed or adapted for specific needs or circumstances. More importantly, when determining the level of protection afforded by SCCs, the Court of Justice of the European Union held in Schrems II decision that if there are indications that surveillance regime of a third country may impact the effectiveness of ‘appropriate safeguards’ (see ‘European Essential Guarantees’ as issued by EDPB when assessing a surveillance regime), ‘supplementary measures’ must be adopted by data exporter and data importer (see the EDPB Guidance on supplementary measures). Transfers made on the basis of derogations are also not a viable long-term option, given how these are not intended to be used to justify regular or repeated transfers of data.
The upshot of all this is that if the UK were not to be granted an adequacy decision this would likely result in significant financial and administrative burdens for UK and EU firms whose operations rely on the smooth exchange of personal data with data controllers and data subjects in the EU. It would also likely be significantly disadvantageous to the maintenance of close trade ties between the UK and the EU more generally.
Similar data transfer rules can be found in LED when data transfer is sought for law enforcement purposes (Arts 35-40 LED). Any obstacle to information sharing for law enforcement purposes post-Brexit has been considered a threat to public safety in the UK and the UK government has been adamant to emphasise the importance of continuity of information exchange that would be built on an adequacy decision since it first set out the future partnership prospects post-Brexit. If approved, the draft adequacy decision on data transfer for law enforcement purposes would enable information sharing that is vital for the protection of public security and the UK-EU cooperation in criminal matters. Specific arrangements would still have to be made for the UK’s continued participation in a number of most significant EU databases, on top of a future UK adequacy decision, because there is no precedent for allowing access to some databases such as Schengen Information System and European Criminal Records Information System, from outside the EU (see the discussion on each database). Nevertheless, the prospect of an adequacy decision for the databases where there is a precedent for EU information sharing with a third country, such as Passenger Name Records data, is essential.
Looking to the future
As noted above, the publication of the draft adequacy decisions highlights the belief of the European Commission that the standard of protection established by the UK’s data protection framework, notably the Data Protection Act 2018, are “essentially equivalent” to those that apply in the EU under the GDPR. The confirmation and adoption of these proposals would help to bring certainty for many firms whose business models are constructed around the acquisition and processing of personal data, and those who because of Brexit have been left in a position of uncertainty regarding whether and when transfers of personal data to or from the EU will or will not be lawful. This is not a merely academic problem. As noted elsewhere, uncertainty regarding whether the European Commission would grant the UK an adequacy decision has forced some companies to postpone or abandon data innovation projects in order to save resources in anticipation of an adequacy decision never materialising. Though the proposed decisions still require approval and adoption, they are a cause for optimism for UK firms who rely on exchanging personal data with parties in the EU.
It is important to note, however, that even if the proposed adequacy decisions are adopted, this will not necessarily be the end so far as complications linked to EU/UK transfers of personal data are concerned. First and foremost, adequacy decisions are not permanent. They are subject to re-examination every four years and can be revoked at any time. Whilst the UK has committed itself to following the GDPR for the foreseeable future, following Brexit it now has the legislative freedom to diverge from EU data protection rules. In theory, this will include the ability to establish lower data protection standards than those that are currently demanded by the EU/GDPR. This is a possibility that is now being discussed and considered by some observers.
Were this to occur, and the UK adopted standards of data protection drastically different to the minimum required under the GDPR it is likely that any adopted adequacy decision would be revoked by the European Commission.
There is also a risk that, assuming the proposed adequacy decisions are confirmed and adopted, their validity may be subject to legal challenge. In the Schrems II case the CJEU invalidated the “Privacy Shield” partial adequacy decision awarded to the USA by the European Commission in 2016. This decision was taken on the basis that, in the view of the CJEU, the limitations on the protection of personal data arising from the USA’s domestic laws on the access and use of personal data transferred from the EU to the USA by US public authorities were not circumscribed in a way that satisfied the requirements that were essentially equivalent to those required under EU law (i.e. the GDPR). Put simply, the CJEU declared the Privacy Shield adequacy decision to be void as US law could not be guarantee the prevention of personal data of individuals transferred to the USA from the EU being disproportionately exposed to, and caught up in, the USA’s invasive surveillance initiatives. If an adequacy decision is awarded to the UK, there is a chance it may suffer the same fate as the US Privacy Shield. In a Tweet posted on 19th Feb, Max Schrems, the privacy activist behind the Schrems II litigation, hinted at the possibility of a legal challenge being made in respect of any future UK adequacy decision due to the invasive nature of surveillance initiatives of the UK government.
Is (In)Adequacy Evitable?
Certainly, UK surveillance regime has had its fair share of legal challenges both before the European Court of Human Rights (ECtHR) and the CJEU. In Big Brother Watch v UK, the Chamber of the ECtHR found parts of UK surveillance law on indiscriminate collection of metadata through automated selection process unlawful under the European Convention on Human Rights. This decision by the Chamber was followed by the CJEU’s Privacy International decision, where the Court considered that compelling by law communication service providers to forward data to security and intelligence agencies was unlawful under EU law. Both of these judgments have mobilised criticisms from commentators that UK law does not provide ‘essentially equivalent protection’ to personal data (see here and here). UK surveillance law is not the only reason that commentators argue for the UK’s (in)adequacy for personal data protection. The immigration exemption under the UK Data Protection Act 2018 according to which the government can restrict access to personal information (despite the High Court decision upholding the exemption), the UK-US arrangements on access to personal data which may allow easy access for US authorities to access to EU data citizens’ data when held in the UK, and the UK’s membership of the Five Eyes intelligence sharing are the other concerns for the UK’s data protection standards. Indeed, the two draft adequacy decisions have already been scrutinised and criticised for failing to address those concerns.
For now, however, all eyes are on the EBPD for its opinion on the proposals of the European Commission. Watch this space.