As the Brexit deadline approaches, UK and EU businesses are on track for friction regarding cross-border data transfers once the transition period ends in January 2021.
Data protection is currently unresolved in the negotiations, despite the UK’s current alignment with EU regulation on the matter through GDPR.
Given adequacy decisions can sometimes take years to be agreed, Information Age spoke to Tim Hickman, partner at global law firm, White & Case LLP, to find out how likely we are to reach an agreement by the end of 2020.
What is an adequacy decision and why does it matter?
Under Article 44 of the General Data Protection Regulation (“GDPR”) there is a general prohibition on the transfer of personal data from within the European Economic Area (i.e., the EU Member States, plus Iceland, Liechtenstein and Norway) (the “EEA”) to recipients in a jurisdiction outside the EEA (a “Third Country”).
There are several exceptions to this general prohibition, each of which applies in limited circumstances. An “adequacy decision” is one such exception — it is a decision by the European Commission that a particular Third Country satisfies certain criteria, and therefore it is permissible for businesses to send personal data to recipients in that Third Country. In two specific cases (the US and Canada) adequacy decisions have, in the past, been made in respect of specific regulatory regimes, rather than in respect of the country as a whole.
How can businesses navigate the increasingly complex EU compliance landscape?
What is the impact of the recent Schrems II decision?
Directive 95/46/EC (the precursor to the GDPR) contained a similar general prohibition on cross-border data transfers to that set out in the GDPR. Under that Directive, the European Commission had negotiated with the U.S. a mechanism known as the “Safe Harbor”, which was intended to allow EEA businesses to send personal data to recipients in the U.S., if those recipients had certified to the Safe Harbor. However, in 2015, the Court of Justice of the EU (“CJEU”) invalidated the Commission’s adequacy decision in respect of the Safe Harbor on the basis that it provided insufficient protections to individuals whose data had been transferred to the U.S. (this case was known as Schrems I).
In 2016, following Schrems I, the European Commission and the U.S. Department of Commerce negotiated a new mechanism that provided additional protections (the “Privacy Shield”) to replace the Safe Harbor. The Schrems II case similar to the first case, and had a similar outcome, with the CJEU finding that the Privacy Shield (like the Safe Harbor before it) provided insufficient protection for individuals in the EEA whose data had been transferred to the U.S. Consequently, the Schrems II decision leaves businesses facing a significant degree of legal uncertainty in relation to cross-border transfers of personal data out of the EEA.
What will happen to the GDPR in the UK after Brexit?
The UK has already adopted provisions (via section 22 and Schedule 6 of the Data Protection Act 2018) that will effectively transpose the GDPR into domestic legislation in the UK after the end of the Brexit transition period (currently set to expire on 31 December 2020). There are some technical changes that will result from Brexit (e.g., the UK Information Commissioner’s Office will no longer participate in the European Data Protection Board, and companies will no longer be able to have their GDPR “main establishment” in the UK) but, for the most part, the day-to-day data protection compliance obligations of businesses operating in the UK will remain unchanged.
However, transfers of personal data between the EEA and the UK will become more complex because after the end of the Brexit transition period, the UK will be treated as a Third Country. The UK government has indicated that it will not impose restrictions on transfers of personal data from the UK to the EEA. However, the general prohibition on cross-border transfers of personal data under the GDPR will apply to transfers of personal data from the EEA to the UK. This means that any business that wants to send personal data from the EEA to the UK after the end of the Brexit transition period will need to have a valid transfer mechanism in place.
Has Brexit made UK data protection and the right to privacy more uncertain?
Brexit has complicated the UK’s stance on data protection and consumers’ right to privacy. Where the country goes now will depend on a deal with the EU — will politicians stick with a strong stance on a right to privacy or will they pivot? Read here
Why does it matter whether the UK receives an adequacy decision?
If the UK receives and adequacy decision following the end of the Brexit transition period, then transfers of personal data from the EEA to the UK will continue to function relatively smoothly. Businesses in the EEA will (as a result of the Schrems II decision) have an obligation to ensure that appropriate protections continue to apply to the personal data that they transfer to the UK, but in general the impact of Brexit on cross-border transfers of personal data from the EEA to the UK will be minimal in this scenario.
On the other hand, if the UK does not receive an adequacy decision, then there is significant potential for business impact, as EEA businesses will be forced to implement data transfer agreements with their UK counterparts, or find other solutions to allow them to continue to send personal data to the UK. In addition, even where standard form pre-approved data transfer agreements (known as “Standard Contractual Clauses”) are used, the data exporter in the EEA will, as a result of the Schrems II decision, remain responsible for ensuring appropriate levels of protection for the transferred data. EU regulators have issued a short set of FAQs and have promised additional detailed guidance on this issue but, as yet, no such guidance has been produced.
What are the main sticking points in agreeing an adequacy decision for the UK?
It remains unclear whether the UK will receive an adequacy decision after the end of the Brexit transition period. The main legal argument in favour of the UK receiving an adequacy decision is that no other Third Country has laws that are as similar to the GDPR as the Data Protection Act 2018. Since the EU has already granted adequacy decisions to several jurisdictions that have less similar laws, the argument goes that the UK is the most deserving candidate for an adequacy decision.
The main legal argument against the UK receiving an adequacy decision is that the UK conducts extensive surveillance for the purposes of national security, and that this is the same activity that resulted in the Privacy Shield being overturned by the CJEU in Schrems II. On 16 September 2020, the European Parliament, released comments on the Schrems II decision, in which it formally acknowledged the argument that the UK might not receive an adequacy decision due to its national security surveillance activities. This also creates doubts as to whether existing adequacy decisions will be impacted in jurisdictions that have laws that are much less similar to the GDPR, and that have significant national security operations (for example, Canada, Israel and New Zealand).
There have been a few suggestions that the UK might not necessarily want an adequacy decision. First, there have been indications that the UK might wish to deregulate certain portions of its economy after the end of the Brexit transition period, in order to attract new investment.
Data protection laws have long been seen as a reason not to invest in certain data-heavy technologies in the EU (notably artificial intelligence) and it is possible that the UK could become a more attractive destination for investment in these areas if it removed some data protection red tape — something that would likely not be compatible with an adequacy decision. Second, the UK government has indicated that it is keen to avoid “dynamic alignment” (i.e., obligations to revise UK laws to bring them into line with EU laws on an ongoing basis) after the end of the Brexit transition period. An adequacy decision would effectively require some form of dynamic alignment, because if UK laws were seen to be falling behind in terms of the protections afforded to individuals in the EEA, there would be a risk of annulment of that adequacy decision.
There is also the question of politics. The European Commission has no legal obligation to grant an adequacy decision to the UK (or, indeed, to even consider a request from the UK for an adequacy decision). Consequently, as the Brexit trade negotiations continue, the question of whether there will be a deal on data (and what that deal might look like) has thus far remained unresolved.
However, on 21 September 2020, John Whittingdale (the Minister of State for Media and Data, in the UK’s Department for Digital, Culture, Media) was reported to have told Members of Parliament that the UK government “fully expects” that the UK will receive an adequacy decision at the end of the Brexit transition period.
Moreover, Mr Whittingdale was reported to have said that the Schrems II decision should not impact any adequacy decision granted to the UK, since the Data Protection Act 2018 does not suffer from the same issues that caused the CJEU to overturn the Safe Harbor and the Privacy Shield respectively. It remains to be seen whether the European Commission shares Mr Whittingdale’s views on these issues.