The Fate of the Flow #2
A comprehensive analysis of the UK’s case for data adequacy
After December 2020, the UK would have left the EU for good. The transition period, during which EU law continues to apply, will come to an end and the UK will become a non-EU Member State. Thus, barring an adequacy decision by the European Commission, the free flow of data between the EU and UK will come to a halt. If so, organisations wanting to continue data transfers will have to look to other legal mechanisms available under the GDPR.
It is peculiar that EU-UK data flows as an issue has received little media attention during the Brexit negotiations, especially given the economic value of such activity. The Political Declaration agreed between the UK and the EU last October states that both parties are “committed to ensuring a high level of personal data protection” in order to facilitate data flows after exit day. The importance of such data flows is undeniable: “[i]mports and exports of both goods and services heavily depend on the free flow of personal data between and UK and EU.” In 2018, exports to the UK of services using personal data were valued at £42 billion and exports from the UK were £85 billion. Also, “75% of the UK’s international data flows are with the EU, and much UK economic activity is dependent on these flows.”
That data flows between the UK and the EU have been free for many years before Brexit means that any major restrictions could prove quite disruptive. The increased compliance burdens and higher legal costs to continue data transfers would impact organisations from a range of sectors, and not just those offering digital services. This is because “[t]he flow of data is ubiquitous for many businesses due to the international provision of services and the international operation of businesses across markets.” It is therefore quite crucial for the EU and the UK to maintain the free flow of data after exit day.
Under Article 44 GDPR, any transfers of personal data to a third country may only take place via certain prescribed mechanisms. One of those mechanisms is detailed under Article 45: transfers based on an adequacy decision.
An adequacy decision is a decision made by the European Commission affirming that a third country ensures an adequate level of protection of personal data under its domestic law. In determining whether a third country ensures this adequate level of protection, Article 45 sets out the criteria which must be used to make such an assessment. However, it should be noted that the domestic law of the third country need not be identical to the regime in the EU. Rather, the protection afforded must be “essentially equivalent” to the EU’s framework, as highlighted by the ECJ in Schrems Iand by Recital (104) of the GDPR.
Under Article 45, the prescribed criteria is three-fold. The first part concerns the overall legal framework, which includes the legislation and caselaw on human rights, public security, defence, national security and criminal law, as well as any relevant rules on data protection. The second part concerns the existence and effective functioning of an independent supervisory authority responsible for enforcing compliance with data protection rules within the third country. The third part concerns the international commitments that the third country is subject to relating to the protection of personal data.
However, this criteria under Article 45 is not exhaustive. The Commission has stated other factors which it may take into account when making an adequacy decision. For example, the Commission may consider the EU’s commercial relations with the third country, “including the existence of a free trade agreement or ongoing negotiations.” The Commission may also consider “the overall political relationship with the third country in question, in particular with respect to the promotion of common values and the shared objectives at an international level.”
This therefore means that the process of gaining adequacy is as much political as it is legal. The Commission thus enjoys wider discretion and flexibility in its decision-making than what may be suggested by looking at Article 45 on its own.
The UK’s Case For Adequacy
Overall, the UK can make a fairly strong case that it meets the three-part criteria under Article 45 for an adequacy decision. The UK Government could argue that its legal framework, independent supervisory authority and international commitments meet the essential equivalence standard to warrant the continuance of the free flow of data after exit day.
In terms of its legal framework, the UK’s data protection laws have been based on the EU’s regime ever since the Data Protection Directive in 1995 (implemented in the UK via the Data Protection Act 1998). Before the GDPR came into force in May 2018, the UK passed the Data Protection Act 2018 (DPA 2018). The main purpose of this Act is to fill in the “white spaces” of the GDPR, namely the areas of discretion afforded to Member States in implementing and enforcing the Regulation within their domestic legal frameworks. For example, under Article 23(1), Member States are permitted to restrict data subject rights where personal data is processed in the context of inter alia national security, defence or public security.
However, the DPA 2018 is not the only part of the UK’s data protection framework. The Government has also been passing various pieces of legislation in preparation for exit day. Part of this work includes the European Union (Withdrawal) Act 2018 (EUWA). This Act repeals the European Communities Act 1972, of which effectively gave EU law legal effect within the UK as a Member of the EU. By repealing the 1972 Act, the 2018 Act terminates this legal conduit and separates the UK’s body of law from that of the EU.
The EUWA, however, performs a further function: s.2(1) provides the authority for the copy-and-paste of EU law into UK law so as to achieve legal continuity when EU law ceases to apply to the UK after exit day. By doing so, under s.3(1), EU law operative before exit day is incorporated into UK law as ‘retained EU law’. Section 3(2) states that this retained EU law includes EU regulations, for example the GDPR. Thus, the GDPR will become retained EU law after exit day.
Under s.8(1), this retention is achieved in practice by the UK Government passing statutory instruments. This secondary legislation can modify retained EU law so as to correct any deficiencies of that retained law when incorporated into UK law (Paragraph 21(a)(i) of Schedule 7). This is what will be done with the retained GDPR.
On exit day, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (DPPEC) comes into force. The purpose of these Regulations is to amend the retained GDPR and also the DPA 2018 so as to achieve legal continuity after exit day. A Keeling Schedule has been made available to illustrate how the DPA 2018 will change after exit day.
Under the Keeling Schedule, s.3(10) of the DPA 2018 introduces “the UK GDPR”, which is essentially the GDPR as retained under EUWA. However, that retained GDPR will have modifications made to it, as mandated by the DPPEC, so that the provisions fit within the UK legal framework. For example, references to European Commission found the EU’s GDPR will be deleted in the UK GDPR. Schedule 1 of the DPPEC contains the full UK GDPR (a Keeling Schedule has been provided showing what the UK GDPR will look like after being modified by the DPPEC).
Therefore, simply put, the UK can argue that its rules on data protection will be almost identical to the EU’s GDPR after exit, and so would satisfy this part of the criteria under Article 45.
In relation to the second part of the criteria, the UK can boast the strength of its independent supervisory authority for data protection, the Information Commissioner’s Office (ICO). Numerous points can be made in favour of the ICO.
Firstly, the DPA 2018 equips the ICO “with a wide range of powers to enable it to be an effective data protection authority.” These include investigatory and enforcement powers, as well as “the power to prosecute those who commit criminal offences under the [DPA 2018].” Such powers have been used to engage in some notable investigations, such as a £183.39 million fine against British Airways and £99.2 million fine against Marriott International Inc (although, the ICO has only announced an intention to fine these companies and, according to its Annual Report for 2019/20, the investigations into these companies are still ongoing, the length of which has garnered much criticism). The ICO has also been investigating the use of personal data in political campaigns, called Operation Cederberg, of which is also linked to its investigation of Cambridge Analytica and its use of Facebook user data.
Secondly, the ICO plays an important role in its advice-giving capacity. This is both for private entities and public institutions, including the UK Government. It gave extensive advice to various organisations in different sectors in the run-up to the GDPR. It has also played an important part in the production of guidelines issued by the European Data Protection Board (EDPD), such as those on automated decision-making (including profiling) and the calculation of fines for infringements of the GDPR. The ICO has thus made “a significant contribution to the work of the EDPB as a member.”
This links to the third positive point about the ICO, which is that it is a highly respected authority not just in the EU but also internationally: the Government asserts that “the ICO contributes to the EU’s world-leading expertise and global influence.”
On the third part of the Article 45 criteria, the UK can make two points in its favour. Firstly, it is a signatory to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+). This includes signing up to the revamped version in 2018, which brought the Convention inline with the GDPR. Secondly, the UK is a signatory of the European Convention on Human Rights, which has effect in UK domestic law via the Human Rights Act 1998 (HRA 1998).
Overall, the UK has a relatively strong case for adequacy. Its legal framework for data protection is almost identical to that of the EU’s. Those rules are enforced by the ICO of which is a widely respected supervisory authority. On top of that, the UK is a signatory to international treaties that further strengthen the data protection and privacy rights of individuals.
Nevertheless, since the transition period began in January 2020, some EU institutions have expressed concerns about the UK and whether it should obtain data adequacy. All of these concerns relate to the three-part criteria under Article 45 and thus will likely form part of the Commission’s analysis and eventual decision.
In February 2020, the European Parliament passed on a non-legislative resolution on the future EU-UK relationship post-Brexit. The resolution contained the Parliament’s suggestions as to what should be sought from negotiations in the form of a proposed mandate for the Commission to follow. Among the array of issues that the resolution addressed was that of data protection and UK adequacy. The Parliament raised two concerns regarding the UK’s data protection framework.
The first concerned the provisions of the DPA 2018 relating to immigration: some data protection rights do not apply where personal data are processed for immigration purposes. The Act provides that certain parts of the GDPR, including those relating to privacy notices (Article 13) and the right to be forgotten (Article 17), do not apply where personal data are being processed for the maintenance of effective immigration control (Schedule 2, Part I, para. 4).
These exemptions take advantage of Article 23(1), which allows Member States to restrict the rights of data subjects in certain contexts. Even so, the European Parliament stressed that “when non-UK citizens’ data are processed under this exemption, they are not protected in the same manner as UK citizens.” Thus, according to the Parliament, such an exemption would be in conflict with the GDPR.
The second concern raised by the Parliament related to the UK’s State surveillance regime, in particular the “legal framework on retention of electronic telecommunications data” and “the legal framework…in the fields of national security or processing of personal data by law enforcement authorities.” The Parliament argued that these aspects of the regime “might not be adequate under EU law, especially given the decisions made by the European Court of Justice (“ECJ”) and the European Court on Human Rights (“ECtHR”) on this subject over the years.
Additionally, in July 2020, the ECJ handed down its Schrems IIjudgment in which it invalidated the EU-US Privacy Shield. This was a legal mechanism agreed between the European Commission and US Department of Commerce that allowed certified companies to transfer data from the EU to the US. This agreement was accompanied by an adequacy decision made by the European Commission, which stated that the Privacy Shield ensured that the US provided an adequate level of protection of personal data belonging to EU citizens.
The ECJ struck down the Privacy Shield on the basis that it did not ensure that the US provided an adequate level of protection. This was the case for two reasons, both of which related to the surveillance laws of the US. Firstly, those laws did not contain the necessary limits on surveillance powers as required under the EU Charter of Fundamental Rights. Secondly, those laws did not give EU citizens an avenue for seeking an effective legal remedy where their rights might be infringed by US public authorities.
This decision in Schrems II is highly relevant to UK adequacy since the case details the requirements of EU law in relation to State surveillance law. The following extracts are from a previous article on The Cyber Solicitor exploring the ECJ’s decision and the requirements in question:
Article 52(1) of the Charter provides that interference with these rights may only be permitted when a number of cumulative conditions are satisfied. Firstly, the interference must be provided for by law, meaning that there must be in existence a legal authority detailing when certain surveillance powers may be used. Secondly, that interference must be necessary in order to achieve an envisaged legitimate aim, for example national security. Thirdly, the nature and scope of that interference must be proportionate to the achievement of that aim, meaning that the least intrusive surveillance measure, that also still manages to achieve the envisaged aim, should be used.
On the proportionality requirement, the ECJ noted that the law prescribing the interference with rights must (a) “lay down clear and precise rules governing the scope and application of the measure in question”, (b) contain minimum safeguards so that those subject to surveillance “have sufficient guarantees to protect effectively their personal data against the risk of abuse”, and (c) indicate the circumstances in which the surveillance measure may be used to ensure “that the interference is limited to what is strictly necessary.”
Article 47 of the Charter [states that] those who have their rights violated are entitled to an effective remedy. On this, the ECJ held that “the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law.” Therefore, any omission of this right to a remedy would “not respect the essence of the fundamental right to effective judicial protection.”
Thus, the use of surveillance powers of the security and intelligence agencies (SIAs) in the UK must be (a) prescribed by law, (b) necessary for a legitimate aim, and (c) proportionate to the legitimate aim. In addition, EU citizens must have the ability to challenge the SIAs where their rights may be infringed.
In the UK, State surveillance is largely governed by the Investigatory Powers Act 2016 (IPA 2016). Under this Act, the SIAs, which includes inter alia GCHQ, MI5, MI6 and the police, are equipped with certain powers: the interception of communications, the retention of metadata, the acquisition of metadata, equipment interference and the use of bulk personal datasets. The use of these powers are detailed in the IPA 2016 itself and also by accompanying Codes of Practice. Accordingly, UK surveillance law would meet the first requirement under the EU Charter, which is that surveillance powers must be prescribed by law.
The next two requirements, that of necessity and of proportionality, are addressed by a safeguard in the IPA 2016 known as ‘the double lock’. The Act establishes the role of Judicial Commissioners (JCs): persons who have held a high judicial office with the responsibility of reviewing each warrant authorising the use of surveillance powers. Thus, for each warrant, the assessment made by the JCs is twofold. First, the JC must consider that the conduct permitted by a particular warrant (authorising the use of a surveillance power) must be necessary for national security or some other legitimate aim. Second, the JC must also consider that the permitted conduct under the warrant is proportionate to that legitimate aim. Before being reviewed by the JCs, the Secretary of State must also consider that the warrant is both necessary and proportionate. Subjecting the warrant to both executive and judicial review makes up the double lock.
Under the IPA 2016, interception, data retention, data acquisition and equipment interference can be authorised in either targeted or bulk form. When authorised in bulk form, the use of such powers are subject to the double lock in addition to other restrictions under the Act. For example, bulk equipment interference (effectively computer hacking) is subject to three conditions. Firstly, the use of the power must be foreign-focused, meaning that data belonging to those in the UK cannot be obtained except under particular circumstances. Secondly, the equipment being interfered with must be connected to a specified operational purpose decided by the National Security Council (of which is chaired by the Prime Minister). Thirdly, a targeted examination warrant must be sought before data obtained using equipment interference can be inspected by the SIAs.
In the UK, there has been some litigation concerning the IPA 2016 since it was passed. A case from 2018 challenged the provisions on the retention of data by telecommunications companies. The challenge focused on the compatibility of this surveillance power with the stipulations made by the ECJ in the Watson case, namely that legislation permitting the general and indiscriminate retention of data is prohibited under EU law. The Act was found to be lawful in some respects but not all (more on this here).
Another case in 2019 challenged the bulk powers as a whole and their compatibility with the ECHR. Here, the High Court held that the bulk powers were compatible with the ECHR, in particular Article 8 (the right to privacy), due to the IPA 2016 containing sufficient safeguards against the abuse of power by the SIAs. The Court came to this conclusion citing the Bulk Powers Review by Lord Anderson QC, which examined the operational case for each bulk power, as well as citing the double lock process codified in the Act.
In relation to providing an effective legal remedy against the SIAs, s.7(1)(a) of the HRA 1998 provides that a person who claims that a public authority has infringed their rights may bring proceedings against that authority in the appropriate court or tribunal. To that effect, the Regulation of Investigatory Powers Act 2000 (RIPA) establishes the Investigatory Powers Tribunal (IPT). This Tribunal, under s.65(2)(a) RIPA, has jurisdiction to hear cases against the SIAs and determine whether they have complied with the HRA 1998 when using their surveillance powers. If it finds against the SIAs, it can, inter alia, make an order quashing or cancelling any warrant or authorisation (s.67(7)(a) RIPA). In addition, decisions of the IPT can be challenged by other courts in the UK, as was confirmed last year by the Supreme Court inR (Privacy International) v IPT & Others (2019).
Furthermore, it would appear that this avenue for legal redress would be available to non-UK citizens, which would include EU citizens after exit day. Article 1 ECHR states that the UK, as a signatory to the Convention, must secure for everyone within their jurisdiction the rights and freedoms defined in the Convention. Accordingly, s.7(7) states that the persons who can bring a claim against public authorities includes those who could bring a claim to the ECtHR. In turn, Article 34 of the Convention states that the ECtHR may receive applications from any person claiming to be a victim of a violation of the Convention by the signatory States, which includes the UK.
Thus, in relation to an effective legal remedy, it would seem that, with the establishment of the IPT and the ability for non-UK citizens to bring complaints against the SIAs through that Tribunal, the UK meets this requirement of EU law as expressed in Schrems II. However, it is not just the UK’s State surveillance regime that will be examined in detail by the European Commission as a potential stumbling block.
The Special Relationship
The intelligence and data sharing arrangements that the UK has in place with the US will likely be another significant problem for adequacy. One of the elements that the European Commission is required to consider in making its adequacy decision are the rules for the onward transfer of personal data to another third country. Thus, the Commission may be concerned that, if it were to give the UK adequacy, personal data could flow from the UK and then onwards to the US, a country which no longer has adequacy as a result of Schrems II.
With the creation of the UK GDPR under the DPPEC, the UK will effectively be ‘rolling over’ all European Commission adequacy decisions, including the Privacy Shield. Thus, after exit, the Privacy Shield will remain a valid mechanism for data transfers from the UK to the US (so long as organisations maintain their certification and adhere to their obligations under that framework). Data flows between the UK and the US are thus likely to continue after exit day. However, if the UK does maintain this rolling over of the Privacy Shield, then this may jeopardise its ability to obtain adequacy from the European Commission. The problems highlighted by the ECJ in Schrems II relate to the state of US surveillance law, and the rolling over of the Privacy Shield by the UK does not change this fact.
In addition, there is also the Agreement Access to Electronic Data for the Purposes of Countering Serious Crime agreed between the UK and the US in October 2019. The purpose of this treaty is to allow the UK or the US to make direct requests to cloud service providers (CSPs) for data relating to criminal activity, subject to numerous conditions and safeguards. Article 3(3) states that the domestic law of the UK and the US affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities subject to the Agreement. Article 9(2) further states that the processing and transfer of data in the execution of requests under the Agreement are compatible with the applicable laws regarding privacy and data protection in the UK and the US.
However, the EDPB has expressed doubts about the Agreement. In its letter to the European Parliament in June, the Board questioned whether “the safeguards in the agreement for access to personal data in the UK would apply in the case of disclosure obligations applicable to [CSPs] or remote [CSPs] under the jurisdiction of the United States.” However, the Board did also stress that it would only give a more detailed opinion once it has the opportunity to review any draft adequacy decision by the European Commission. Nevertheless, the hesitancy expressed by the EDPB does not bode well for UK adequacy. This is in addition to a recent UK Supreme Court finding that a data transfer by UK authorities to the US concerning a terrorist investigation (in accordance with a different mutual assistance arrangement) was in contravention of the DPA 2018.
On top of this, the UK, US, Canada, Australia and New Zealand are members of the Five Eyes intelligence group, of which is underpinned by a number of intelligence sharing agreements. Membership of such a group does not bode well for UK adequacy, especially after the criticisms of US surveillance law expressed in Schrems I and II spawning from the Snowden revelations in 2013. In addition, any eventual decision on the UK may have an impact on the (currently) valid adequacy decisions for Canada and New Zealand.
Will the UK Get Adequacy?
Given the aforementioned relationship with the US and the recent Schrems II judgment, UK adequacy seems a more distant prospect. Many organisations may therefore be wise proceeding on this presumption and preparing accordingly. However, Schrems II also makes the seemingly obvious alternative transfer mechanism, standard contractual clauses, just as treacherous: the heavy obligations imposed on data exporters and importers in relying on SCCs make them a cumbersome choice.
Thus, for the short-term, organisations wanting to continue with transfers from the EU to the UK are likely to encounter higher legal costs and uncertainty. The ICO has issued some guidance on data protection rules after exit day, including a FAQs section on data transfers on its website, in attempt to deal with some of the unease.
Even so, the issues around international data transfers are likely to be characterised by uncertainty for a while yet. Data protection, as an area of law, is still in its infancy and it will take time for it to reach any kind of maturity and stability. In the meantime, technologists, policymakers, business leaders and others will have to carefully navigate this highly dynamic landscape to come up with viable solutions. We are only just getting started.