102////BREXIT: data-adequacy

The one certainty post-Brexit is that there is - for the moment at least - greater uncertainty, not least in relation to cross-border transactions between the EU and the UK, with the UK’s newly acquired “third-country” status. This “third-country” status has implications under the EU’s General Data Protection Regulation (GDPR) for data transfers between the UK and the EU[1]. 

With the last-minute nature of the deal reached, there was insufficient time for the European Commission (Commission) to complete an adequacy assessment of the UK’s data protection regime. Instead, on 24 December 2020, the UK and the EU agreed to a bridging mechanism which will allow the free flow of data between the UK and EU member-states to continue for four months (with the potential for an extension of an additional two months), while the Commission completes its assessment. As the end of the first month draws near, Hausfeld takes stock.

Introduction

Since 25 May 2018, the processing of personal data has been regulated by the GDPR, which was incorporated into UK law in the Data Protection Act 2018 (DPA). Personal data is defined as information from which a person can be identified or is identifiable directly or indirectly from the information in question[2] and, can include but is not limited to, names, location data, and online identifiers such as IP addresses. Where a country outside of the EU secures the “Data Adequacy” status from the Commission, this indicates it provides a level of personal data protection comparable to that provided in European law and the practical result is that data can move freely between that third country and the EU without the need for further protective measures.

The bridging mechanism in the EU-UK Trade and Co-operation Agreement, entered into on 30 December (TCA),[3] provided that the UK will not be treated as a “third country” for the purposes of the GDPR for a four month period (with the possibility for a further two month extension) provided it does not:

  1. modify the UK’s current data protection law (UK GDPR)
  2. exercise certain “designated powers” under the DPA and UK GDPR[4], without the approval of the EU.

In addition, while the mechanism permits data transfers to continue from the EU/EEA without additional safeguards being required, such as payroll details transferred to the UK from an EU/EEA-based business partner; the UK’s ICO and the UK Government have recommended that UK businesses implement alternative transfer arrangements as a precaution against any interruption. All businesses should therefore review data flows between the UK and EU/EEA member-states, including auditing what data is held and where, and where it is being transferred to and from.

The current position

Transfers of data from the UK to the EU/EEA can continue unrestricted as the UK has confirmed that it considers all EU/EEA member-states to confer adequate data protection for the purposes of UK data protection law. This, however, is being kept under review. Transfers of data from the EU/EEA to the UK can continue for the next four (potentially six) months but if the UK is not awarded adequacy status by the end of June, such transfers will be subject to additional safeguard measures as set out below.

Could the UK be refused adequacy status?

Although the UK has implemented the GDPR and the EU Data Protection Law Enforcement Directive[5] in the DPA, there is no guarantee that the UK will be awarded adequacy status. After all, the Court of Justice of the European Union (CJEU) has ruled twice that the UK’s handling of personal data is not in line with EU law[6]. Furthermore, the DPA waives data protection rights in areas relating to immigration control, which may be in contravention of EU fundamental rights protections[7].

Securing an adequacy decision from the Commission remains the best way for the UK to ensure that data continues to flow freely between the UK and the EU/EEA. Twelve non-EU/EEA countries or territories have secured adequacy status from the Commission to date, including New Zealand and, recently, Japan. The USA and Canada, meanwhile, have been deemed to provide “partially” adequate protection, with it being possible to transfer EU/EEA data under specific conditions to certain organisations.

It appears unlikely that the Commission will award the UK adequacy status if there is a risk that data from the EU/EEA could be passed on to countries which do not themselves offer an adequate level of protection, for example to Australia, which has not secured an adequacy decision from the EU/EEA. On the other hand, given the UK is an ex-member-state with whom data was freely exchanged while it was part of the EU, any decision that it does not meet the adequacy requirements now would set a high benchmark for countries seeking adequacy status in the future and/or point to a potential flaw in the assessment criteria.

What if the UK is not awarded adequacy status, or if adequacy is challenged?

Should the UK not be awarded adequacy status, additional legal safeguards would need to be put in place before data could be transferred between the UK and the EU/EEA, costing businesses time and money regardless of their location – businesses already undergoing significant hardships due to COVID19. A paper published by the New Economics Foundation in November last year estimated that alternative transfer provisions could cost UK businesses £1.6 billion[8] . The additional concern is that some EU/EEA businesses may elect to discontinue trade with UK counterparts given such burdens and uncertainties.

The prospect that even if there is an adequacy decision in favour of the UK, it might subsequently be challenged - by either the European Parliament or privacy campaigners - and invalidated by the CJEU remains real, as happened in Schrems I[9] and Schrems II[10].  In Schrems II, the CJEU declared the European Commission's Privacy Shield Decision (which granted the US adequacy status for data protection purposes) invalid due to invasive US surveillance programmes, thereby making transfers of personal data from the EU to the US based on the Privacy Shield Decision illegal.   

While an adequacy decision in favour of the UK is clearly the most straightforward means of enabling data protection compliant transfers between the UK and the EU/EEA, there are other legal safeguards which can be adopted in the absence of adequacy status to ensure data protection compliance:

  • Standard Contractual Clauses (SCCs) are a commonly-adopted solution to a lack of adequacy status but implementing these involves additional complexity and cost. Further, the CJEU’s decision in Schrems II has made data transfers from the EU to non-EU countries using SCCs more complex. The European Data Protection Board (EDPB) has published guidance on the implications of the invalidation of the EU-US Privacy Shield and its implications for the use of SCCs.[11]
  • Binding Corporate Rules (BCRs) may be relied upon in relation to restricted transfers from the UK if they made are within a corporate group. Guidance has been issued by the EDPB on BCRs approved by the ICO[12]. The effect of the CJEU’s decision in Schrems II is that existing BCRs must be reassessed to ensure suitable safeguards are in place and supplementary measures adopted as necessary.
  • Codes of Conduct - data transfers can be made where the data receiver has signed up to an ICO-approved code of conduct.  No approved codes of conduct are yet in use but the ICO promotes the development of such codes and detailed guidance and support is available[13].
  • Certification under an approved certification scheme - if the data receiver has been certified under a scheme approved by the ICO, data can be transferred without an adequacy decision.
  • Derogations including obtaining the data subject’s consent.

Timing

At the moment it is difficult to gauge whether the UK will be granted adequacy status. The UK Government continues its efforts to confirm the position. Last week, the UK’s data protection minister John Whittingdale stressed that the UK has and continues to adhere to a legal framework based on the EU’s GDPR, and deserves a fast adequacy ruling. This view was shared by Julian King, the UK’s final EU commissioner, who told the House of Lords Sub-Committee on EU Security and Justice last Monday that the GDPR is operated as effectively in the UK as it is, in his experience, anywhere else in the EU. Watch this space.

Footnotes

[1] And, additionally, EEA member-states.

[2] Article 4(1) GDPR, see also.

[3] Part 7, FINPROV. 10A, TCA pages 414-416

[4] Article 3, FINPROV. 10A, TCA pages 414-41

[5] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.

[6] Joined Cases C‑203/15 and C‑698/15, Tele2 Sverige AB (C203/15) v Post- och telestyrelsen, and Secretary of State for the Home Department (C698/15) v Tom Watson, Peter Brice, Geoffrey Lewis (interveners: Open Rights Group, Privacy International, The Law Society of England and Wales) ECLI:EU:C:2016:970; and Case C-623/17 Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others ECLI:EU:C:2020:790

[7] See, for example, Written evidence submitted by Liberty (The National Council for Civil Liberties), Data Protection Bill, March 2018

[8] D. McCann, O. Patel and J. Ruiz (2020) The cost of data inadequacy.

[9] Maximillian Schrems v Data Protection Commissioner C-362/14 EU:C:2015:650 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62014CJ0362

[10] Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems C-311/18 EU:C:2020:559 http://curia.europa.eu/juris/document/document.jsf?docid=228677&doclang=EN

[11] Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems | European Data Protection Board (europa.eu)

[12] Last year, the ICO confirmed that holders of ICO approved BCRs will be automatically eligible for a UK BCR but were required to produce a UK version by 1 January 2020 (to be provided to the ICO in due course).

[13] ICO guide to the GDPR codes of conduct.