Lorna Woods, Professor of Internet Law, University of Essex
Background
Under the General Data Protection Regulation (GDPR) and
the data protection Law
Enforcement Directive (LED) personal data may not be transferred outside
the EU unless adequate safeguards are in place (eg via standard contractual
clauses). The most comprehensive way this can be demonstrated – and the easiest
for individual controllers and processors – is via an adequacy decision under Article 45 GDPR and Article 36(3)
LED respectively. So far, twelve
countries have, either fully or partially, been deemed adequate for GDPR purposes,
including Andorra, Argentina, Canada (commercial organisations), Guernsey,
Israel, Switzerland, and most recently, Japan – though note that in respect of
its decision for Japan extra
safeguards were required. While the Commission had found the US to be
adequate, the Court
of Justice disagreed (in the Schrems
II judgment, discussed here).
With the UK now Brexited, it
falls to be considered as a third country for data protection purposes and appropriate
arrangements for data transfers need to be in place. The UK Government planned
for an adequacy decision, but by the end of the transitional period the Commission
had not completed its assessment. A stop-gap measure was agreed in the EU-UK
Trade and Cooperation Agreement (agreed by the EU and the UK on December 24,
2020: see overview of that agreement here)
so that data flows between the two remain unrestricted either: (a) for a period
of 4 months from 1 January 2021 (with an
automatic extension for two further months unless either the UK or the EU
objects); or (b) until an adequacy decision is granted by the Commission,
whichever is earlier and always provided the UK makes no substantive changes to
its data protection laws. The European
Data Protection Supervisor (EDPS) however expressed some
concern about this agreement.
On 19th February, the European
Commission published two draft decisions in respect of the adequacy of the UK
for data protection purposes, one in relation to the GDPR,
the other for the LED. While the decisions are of interest because
of the Brexit context, they are also the first decisions drafted since the Schrems
II decision and therefore may provide illumination on the Commission’s
response to that decision. (Update, June 28 2021: the Commission has now officially adopted the final adequacy decisions for the UK, See the update at the end of this blog post).
The Decisions
The decisions are long, the GDPR
decision being longer than that in relation to the LED, so no doubt
commentators are still reading and reflecting on the detail. The following
intial comments can be made. The decisions follow a broadly similar
structure. Both identify the context and
the principles to be applied in their first paragraphs. For the GDPR this was
Rec 104 GDPR, the jurisprudence of the CJEU, notably Schrems II and the EDPB “Adequacy
Referential”; in relation to the LED Decision the Court’s case law is
relevant, as is the specific “Adequacy
Referential” the EDPB only recently adopted (02/02/2021) in relation to the
LED. While adequacy might be the same, the context in relation to the GDPR and
the LED differs, and different legal provisions are in issue. The main body of the decision in each case
reviews the UK system. In its over view
of the constitutional framework, the draft decision emphasises the Human Rights
Act and the fact that the UK is a signatory to the European Convention on Human
Rights as well as the Council of Europe Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data (“Convention
108”).
These international agreements
are important to the Commission in providing some stability to the UK’s ongoing
data protection commitments. In its press
release, the Commission commented that while it has left the EU,
… the UK
remains a member of the European “privacy family”. Continued adherence to such
international conventions is of particular importance for the stability and
durability of the proposed adequacy findings.
This is perhaps particularly
important given the UK government’s stated
aim to
take its own approach to data protection, and the fact that under Brexit
legislation the Government has considerable latitude to change the law in
primary legislation by statutory instrument. Although the decision notes this
power, it does not dwell on the possible
implications (see GDPR decision [13] and [16]; LED Decision [12]-[15]).
The decision also considers the
data protection framework, specifically covering geographic and material scope,
safeguards and rights, oversight, onward transfers, access by public bodies as
well as duration and review of the decisions.
Much of this latter part reflects the GDPR, which given the history of
the legislation, is hardly surprising, a point the decision notes while re-emphasising
the importance of the ECHR and Convention 108 [GDPR decision 18]; similar
comments are made as regards the LED (LED Decision [22]). On the whole the discussion of the Data
Protection Act notes that there is little difference between it and requirements
of the GDPR, though some points where the DPA is not that clear (what are the
safeguards for historical and statistical processing, which can data brokers
presume that you just want a credit score see e.g [73]-[74]) are not raised –
these may be small points within a generally acceptable framing. The Commission
does note the exception for ‘the maintenance of effective immigration control’
which had been the subject of (unsuccessful) challenge. The Commission
recognises that the exception is formulated broadly, but nonetheless accepts it
based on the conditions limiting its scope (see [65]). Whether the EDPB takes a
similar approach remains to be seen; certainly some MEPs
have been critical.
The decisions also considered
mechanisms for redress and oversight (provided in Parts 5 and 6 DPA, common to
both). It refers to the ability of a data subject to: complain to (and about)
the ICO; to bring a claim against controllers and processors for material and
non-material damages; and to bring a claim in UK courts under the UK’s Human
Rights Act 1998 and ultimately in the European Court of Human Rights.
The Commission decision seems to
recognise the UK’s data protection authority (the Information Commissioner’s
Officer, or ICO) as an effective oversight body (though the ICO is no longer
described as “independent” in the DPA following the Brexit
amendments to Art 51 GDPR, replacing ‘independent public authorities’ with
the words ‘the Commissioner’), flagging the fines imposed on British Airways
and Marriot as examples of regulatory practice, as well as noting the
investigation into Cambridge Analytica. There are also references to the number
of cases investigated, seemingly a factor in the Commission’s assessment. There
is no mention of the fact that many of the codes that are part of the
implementation regime are not yet drafted (eg journalism code). Others
have been critical of the ICO, notably in relation to its action against real
time bidding and the ad tech sector (and also in relation to the possibility of
complaining about the ICO). In relation to the law enforcement sector, the ICO
has had limited success in enforcing the DPA (in relation to information access
requests) against the police and concerns
have been raised about the way the police deployed Microsoft Office 365
(which backs up to the United States), as well as police
use of rape victims’ data stored on mobile phones so that the Victims’
Commissioner proposed
that victims should have access to free legal advice to protect their
privacy. In this there might be
differences between the law and practice.
In general, onward transfer of
data might be a concern, especially if the UK signs up to trade agreements
which make provisions restricting transfer of data problematic (this was part
of the issue in the Japan decision). In this section (GDPR decision [75]-[82]),
while there is plenty of detail about the UK system, there is less direct
comparison with the requirements of Schrems
II (and the LED Decision is similar). Moreover, the discussion accepts the
safeguards in relation to the transfer of data to the UK for law enforcement
purposes; yet, the EDPB has expressed
concerns.
One of the big concerns
surrounding the UK adequacy agreement related to the operations of the security
and intelligence services, surveillance and national security. Presumably in an
attempt to head off challenges in the light of Schrems II and other decisions on surveillance, the Commission
devotes a considerable amount of space to a description of the UK
arrangements. The use of personal data
for law enforcement purposes and in the context of national security lie
outside the GDPR; even for personal data within the GDPR a general exemption
applies for national security or defence purposes, though the Commission noted
this must be applied on a case by case basis rather than as a blanket exception
(see [66]-[69]).
The issue of access to data by
public authorities in the public interest is dealt with in a separate section
(para [112] onwards), with the decision noting that the baseline is set in Schrems II as well as the more recent
cases of Privacy International (Case
C-623/17) and La Quadrature du Net
(Cases C-511-12/18 and C-520/18) – which were discussed here. While the decision states the principles
applying to an interference with an individual’s right to privacy and to data
protection, it does so at a general level and does not engage with the case law
surrounding mass surveillance and bulk collection of data, despite its citation
of La Quadrature du Net. It instead
focuses on the oversight mechanisms and formal controls, as well as the right
of an individual to bring action before a court.
The EDPB by contrast specifically
notes that in the view of the CJEU completely indiscriminate data retention
would offend against the principle of necessity; it moreover states that
necessity and proportionality both need to be demonstrated (rather than
asserted). Nonetheless, the decision engages in a thorough overview of the
regime both as far as the ICO’s powers are concerned as well as the processes
set up under the Investigatory Powers Act (IPA). It concludes (at [268]) that any
interference with the fundamental rights of the individuals whose personal data
are transferred from the European Union to the United Kingdom by United Kingdom
public authorities for public interest purposes, in particular law enforcement
and national security purposes, will be limited to what is strictly necessary
to achieve the legitimate objective in question, and that effective legal
protection against such interference exists.
It does not consider the partial
nature of the response to the Tele2/Watson
ruling (discussed [195] – and here
on this blog), in which the Government specifically introduced a separate
definition of serious crime to cover metadata and failed to deal with the issue
of informing subjects of surveillance operations. It seems to accept the
practices of the agencies even though there are a number
of cases suggesting illegality in the light of the ECHR. Given the criticisms of the US regime in Schrems II, there are some suggestions
that this aspect of the decision might be subject to challenge.
One final point to note about the
decision is that it is expressed to be valid for four years, in the interests
of ‘future proofing’ the arrangements. While the Commission is under an
obligation to keep under review the other adequacy arrangements (art 45(3)
GDPR), in no other case as yet is there a time limit to the decision. This may
reflect concerns regarding the UK government’s plans for data protection in the
future; the EDPS
suggested however that ‘any substantial deviation that would result in lowering
the level of protection would constitute an important obstacle to a finding of
adequacy’. Does this hint that backsliding in and of itself might be seen as a
problem?
What Next?
The announcement from the
Commission that it had published draft decisions finding the UK to meet the
adequacy standard for both instruments was therefore greeted positively by the
UK government
and the ICO
as well as by industry. On the whole, the decision focussed on the
positive aspects of the UK regime, emphasising where there was protection
rather than where the weaknesses lie. This is understandable; no system is
perfect and the requirement is not to replicate exactly the GDPR and the LED.
Moreover, given the similarities of the UK regime at the moment, it would set a
very high standard if the UK were not to be seen as adequate – where would this
leave the position vis a vis other countries (eg Japan)?
Yet, this is not yet a done deal;
the EDPB will publish its opinion as required under Article 70 GDPR which,
though not binding, will be influential (as was also the case in the Japan
adequacy decision). The decision must
also be submitted to the Article 93 Committee and be made available to the
European Parliament and the Council under the comitology procedures. Further, there is still a risk that, in the
light of earlier litigation (eg Digital
Rights Ireland, Schrems
I, Tele2/Watson and Schrems II – see discussion of the first
two cases here
and here),
any adequacy decision could be challenged focussing on that difficult topic of
national security and the extent to which the State is allowed to carry out
surveillance in bulk. While the bulk of
challenges have come from privacy activists, there remains the possibility that
the European Parliament could, were it so minded, mount such a challenge (which
would reduce some of the standing issues); individual regulatory authorities
could also bring litigation.
Adequacy Decisions – Update (June
30, 2021)
The European Union has adopted the adequacy decisions in respect of the UK, available here. The decision comes just in time to avoid the need to use Standard Contractual Terms and Binding Corporate rules for transfers to the UK from the EU; the stop gap measure would have reached its end at 30th June 2021. The news has been well-received but a couple of points are worth noting.
First, the UK’s current regime
implements the GDPR and the LED, however imperfectly and it would therefore
have been somewhat surprising if the political institutions at EU level did not
recognise this as adequate. Indeed, the Adequacy Agreement specifically refers
to this point [recital 12, 16]. The UK government’s emphasis on developing its
own data policy against this background is unfortunate; the challenges to key
elements of the GDPS in the TIGGR particularly so. The decision is also
predicated upon the UK’s adherence to the European Convention of Human Rights
and submission to the jurisdiction of the European Court of Human Rights.
Continued adherence to such international obligations is therefore a particularly
important element of the assessment on which this Decision is based. [recital
277]
Secondly, the agreement,
unusually, has a sunset clause. It will automatically expire after 4 years and
the Commission has the right to review it during this term. Certain points of
concern are apparent. For example, data
transfers for the purposes of migration control are excluded by Article 1 from
the scope of the adequacy agreement (though the SCCs and BCRs remain
available), specifically referring to ORG v SoS for the
Home Department [recital 6]; this reflects the concerns surrounding the
immigration exemption. Article 3
contains monitoring arrangements relating to the actual practice of data
protection, including examples of when the ICO fails to ensure compliance with
the DPA18; where public authorities interfer with the rights of individuals
more than is strictly necessary or where there is no legal redress [Article
3(2) and (3)]. These would seem to point to concerns around data sharing by
public authorities and limitations on individual rights to facilitate eg big
data analytics.
Taken together, this suggests
that the adequacy agreement is not a done-deal for ever more and that
particularly some parts of the EU have concerns about the current government’s
plans to reduce protection. There
remains the question of what those outside the EU political institutions will
do. A challenge to the Adequacy Agreement remains possible, notwithstanding its
attempt to deal with the problem of mass surveillance. It remains the fact that
the UK surveillance regime would in future pass the adequacy threshold set down
in Schrems I.
Barnard & Peers: chapter 26
Photo credit: By Christoph Scholz
- EU Puzzle mit Grossbritannien (link
to licence)
Dear Lorna - Many thanks for this update. Two immediate comments. You say that "data transfers for the purposes of migration control are excluded by Article 1 from the scope of the adequacy agreement" - but in fact the decision exclusion applies to "personal data transferred for United Kingdom immigration control purposes or which otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control (the “immigration exemption”) pursuant to paragraph 4(1) of Schedule 2 to the UK Data Protection Act." This can affect many data transferred for non-immigration purposes, e.g., relating to health care or social benefits. Secondly, I do not agree that it is a "fact" that "the UK surveillance regime would in future pass the adequacy threshold set down in Schrems I." The debate on both will continue.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete