Lorna Woods, Professor of Internet Law, University of Essex
Under the General Data Protection Regulation (GDPR) and the data protection Law Enforcement Directive (LED) personal data may not be transferred outside the EU unless adequate safeguards are in place (eg via standard contractual clauses). The most comprehensive way this can be demonstrated – and the easiest for individual controllers and processors – is via an adequacy decision under Article 45 GDPR and Article 36(3) LED respectively. So far, twelve countries have, either fully or partially, been deemed adequate for GDPR purposes, including Andorra, Argentina, Canada (commercial organisations), Guernsey, Israel, Switzerland, and most recently, Japan – though note that in respect of its decision for Japan extra safeguards were required. While the Commission had found the US to be adequate, the Court of Justice disagreed (in the Schrems II judgment, discussed here).
With the UK now Brexited, it falls to be considered as a third country for data protection purposes and appropriate arrangements for data transfers need to be in place. The UK Government planned for an adequacy decision, but by the end of the transitional period the Commission had not completed its assessment. A stop-gap measure was agreed in the EU-UK Trade and Cooperation Agreement (agreed by the EU and the UK on December 24, 2020: see overview of that agreement here) so that data flows between the two remain unrestricted either: (a) for a period of 4 months from 1 January 2021 (with an automatic extension for two further months unless either the UK or the EU objects); or (b) until an adequacy decision is granted by the Commission, whichever is earlier and always provided the UK makes no substantive changes to its data protection laws. The European Data Protection Supervisor (EDPS) however expressed some concern about this agreement.
On 19th February, the European Commission published two draft decisions in respect of the adequacy of the UK for data protection purposes, one in relation to the GDPR, the other for the LED. While the decisions are of interest because of the Brexit context, they are also the first decisions drafted since the Schrems II decision and therefore may provide illumination on the Commission’s response to that decision.
The decisions are long, the GDPR decision being longer than that in relation to the LED, so no doubt commentators are still reading and reflecting on the detail. The following intial comments can be made. The decisions follow a broadly similar structure. Both identify the context and the principles to be applied in their first paragraphs. For the GDPR this was Rec 104 GDPR, the jurisprudence of the CJEU, notably Schrems II and the EDPB “Adequacy Referential”; in relation to the LED Decision the Court’s case law is relevant, as is the specific “Adequacy Referential” the EDPB only recently adopted (02/02/2021) in relation to the LED. While adequacy might be the same, the context in relation to the GDPR and the LED differs, and different legal provisions are in issue. The main body of the decision in each case reviews the UK system. In its over view of the constitutional framework, the draft decision emphasises the Human Rights Act and the fact that the UK is a signatory to the European Convention on Human Rights as well as the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”).
These international agreements are important to the Commission in providing some stability to the UK’s ongoing data protection commitments. In its press release, the Commission commented that while it has left the EU,
… the UK remains a member of the European “privacy family”. Continued adherence to such international conventions is of particular importance for the stability and durability of the proposed adequacy findings.
This is perhaps particularly important given the UK government’s stated aim to take its own approach to data protection, and the fact that under Brexit legislation the Government has considerable latitude to change the law in primary legislation by statutory instrument. Although the decision notes this power, it does not dwell on the possible implications (see GDPR decision  and ; LED Decision -).
The decision also considers the data protection framework, specifically covering geographic and material scope, safeguards and rights, oversight, onward transfers, access by public bodies as well as duration and review of the decisions. Much of this latter part reflects the GDPR, which given the history of the legislation, is hardly surprising, a point the decision notes while re-emphasising the importance of the ECHR and Convention 108 [GDPR decision 18]; similar comments are made as regards the LED (LED Decision ). On the whole the discussion of the Data Protection Act notes that there is little difference between it and requirements of the GDPR, though some points where the DPA is not that clear (what are the safeguards for historical and statistical processing, which can data brokers presume that you just want a credit score see e.g -) are not raised – these may be small points within a generally acceptable framing. The Commission does note the exception for ‘the maintenance of effective immigration control’ which had been the subject of (unsuccessful) challenge. The Commission recognises that the exception is formulated broadly, but nonetheless accepts it based on the conditions limiting its scope (see ). Whether the EDPB takes a similar approach remains to be seen; certainly some MEPs have been critical.
The decisions also considered mechanisms for redress and oversight (provided in Parts 5 and 6 DPA, common to both). It refers to the ability of a data subject to: complain to (and about) the ICO; to bring a claim against controllers and processors for material and non-material damages; and to bring a claim in UK courts under the UK’s Human Rights Act 1998 and ultimately in the European Court of Human Rights.
The Commission decision seems to recognise the UK’s data protection authority (the Information Commissioner’s Officer, or ICO) as an effective oversight body (though the ICO is no longer described as “independent” in the DPA following the Brexit amendments to Art 51 GDPR, replacing ‘independent public authorities’ with the words ‘the Commissioner’), flagging the fines imposed on British Airways and Marriot as examples of regulatory practice, as well as noting the investigation into Cambridge Analytica. There are also references to the number of cases investigated, seemingly a factor in the Commission’s assessment. There is no mention of the fact that many of the codes that are part of the implementation regime are not yet drafted (eg journalism code). Others have been critical of the ICO, notably in relation to its action against real time bidding and the ad tech sector (and also in relation to the possibility of complaining about the ICO). In relation to the law enforcement sector, the ICO has had limited success in enforcing the DPA (in relation to information access requests) against the police and concerns have been raised about the way the police deployed Microsoft Office 365 (which backs up to the United States), as well as police use of rape victims’ data stored on mobile phones so that the Victims’ Commissioner proposed that victims should have access to free legal advice to protect their privacy. In this there might be differences between the law and practice.
In general, onward transfer of data might be a concern, especially if the UK signs up to trade agreements which make provisions restricting transfer of data problematic (this was part of the issue in the Japan decision). In this section (GDPR decision -), while there is plenty of detail about the UK system, there is less direct comparison with the requirements of Schrems II (and the LED Decision is similar). Moreover, the discussion accepts the safeguards in relation to the transfer of data to the UK for law enforcement purposes; yet, the EDPB has expressed concerns.
One of the big concerns surrounding the UK adequacy agreement related to the operations of the security and intelligence services, surveillance and national security. Presumably in an attempt to head off challenges in the light of Schrems II and other decisions on surveillance, the Commission devotes a considerable amount of space to a description of the UK arrangements. The use of personal data for law enforcement purposes and in the context of national security lie outside the GDPR; even for personal data within the GDPR a general exemption applies for national security or defence purposes, though the Commission noted this must be applied on a case by case basis rather than as a blanket exception (see -).
The issue of access to data by public authorities in the public interest is dealt with in a separate section (para  onwards), with the decision noting that the baseline is set in Schrems II as well as the more recent cases of Privacy International (Case C-623/17) and La Quadrature du Net (Cases C-511-12/18 and C-520/18) – which were discussed here. While the decision states the principles applying to an interference with an individual’s right to privacy and to data protection, it does so at a general level and does not engage with the case law surrounding mass surveillance and bulk collection of data, despite its citation of La Quadrature du Net. It instead focuses on the oversight mechanisms and formal controls, as well as the right of an individual to bring action before a court.
The EDPB by contrast specifically notes that in the view of the CJEU completely indiscriminate data retention would offend against the principle of necessity; it moreover states that necessity and proportionality both need to be demonstrated (rather than asserted). Nonetheless, the decision engages in a thorough overview of the regime both as far as the ICO’s powers are concerned as well as the processes set up under the Investigatory Powers Act (IPA). It concludes (at ) that any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to the United Kingdom by United Kingdom public authorities for public interest purposes, in particular law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.
It does not consider the partial nature of the response to the Tele2/Watson ruling (discussed  – and here on this blog), in which the Government specifically introduced a separate definition of serious crime to cover metadata and failed to deal with the issue of informing subjects of surveillance operations. It seems to accept the practices of the agencies even though there are a number of cases suggesting illegality in the light of the ECHR. Given the criticisms of the US regime in Schrems II, there are some suggestions that this aspect of the decision might be subject to challenge.
One final point to note about the decision is that it is expressed to be valid for four years, in the interests of ‘future proofing’ the arrangements. While the Commission is under an obligation to keep under review the other adequacy arrangements (art 45(3) GDPR), in no other case as yet is there a time limit to the decision. This may reflect concerns regarding the UK government’s plans for data protection in the future; the EDPS suggested however that ‘any substantial deviation that would result in lowering the level of protection would constitute an important obstacle to a finding of adequacy’. Does this hint that backsliding in and of itself might be seen as a problem?
The announcement from the Commission that it had published draft decisions finding the UK to meet the adequacy standard for both instruments was therefore greeted positively by the UK government and the ICO as well as by industry. On the whole, the decision focussed on the positive aspects of the UK regime, emphasising where there was protection rather than where the weaknesses lie. This is understandable; no system is perfect and the requirement is not to replicate exactly the GDPR and the LED. Moreover, given the similarities of the UK regime at the moment, it would set a very high standard if the UK were not to be seen as adequate – where would this leave the position vis a vis other countries (eg Japan)?
Yet, this is not yet a done deal; the EDPB will publish its opinion as required under Article 70 GDPR which, though not binding, will be influential (as was also the case in the Japan adequacy decision). The decision must also be submitted to the Article 93 Committee and be made available to the European Parliament and the Council under the comitology procedures. Further, there is still a risk that, in the light of earlier litigation (eg Digital Rights Ireland, Schrems I, Tele2/Watson and Schrems II – see discussion of the first two cases here and here), any adequacy decision could be challenged focussing on that difficult topic of national security and the extent to which the State is allowed to carry out surveillance in bulk. While the bulk of challenges have come from privacy activists, there remains the possibility that the European Parliament could, were it so minded, mount such a challenge (which would reduce some of the standing issues); individual regulatory authorities could also bring litigation.
Barnard & Peers: chapter 26
Photo credit: By Christoph Scholz - EU Puzzle mit Grossbritannien (link to licence)