Lorna Woods, Professor of Internet Law, University of Essex

Background

The General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) have strict rules about transferring personal data outside the EU. Adequacy decisions are the simplest way to ensure these transfers are safe. Currently, twelve countries have received full or partial adequacy decisions, including Japan, which has additional safeguards in place. The US previously held an adequacy status, but the Court of Justice overturned this in the Schrems II case.

Following Brexit, the UK became a “third country” requiring an adequacy decision for data transfers. While the UK government sought this decision, it wasn’t finalized before the Brexit transition period ended. A temporary measure in the EU-UK Trade and Cooperation Agreement allowed data flow to continue for a set period or until an adequacy decision was reached. However, the European Data Protection Supervisor (EDPS) raised concerns about this agreement.

On February 19th, the European Commission published draft adequacy decisions for the UK, covering both GDPR and LED. These decisions are significant as they are the first since Schrems II and offer insight into the Commission’s response to that ruling. (Update, June 28, 2021: The EU has now formally adopted the adequacy decisions for the UK. See the update at the end of this post).

The Decisions

Both decisions are structured similarly, starting with context and principles drawn from relevant GDPR articles, case law (including Schrems II), and EDPB guidelines. The decisions then analyze the UK’s system, emphasizing the Human Rights Act, the UK’s role as a European Convention on Human Rights signatory, and its involvement in the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”).

The Commission sees these international agreements as vital for assuring the UK’s ongoing commitment to data protection, especially given the UK’s plans to forge its own path in data protection and its ability to easily change data protection laws. The decisions acknowledge this potential for change but don’t deeply examine the possible effects.

The decisions also review the UK’s data protection framework, including its scope, safeguards, rights, oversight, onward transfers, public body access, and decision duration and review. This section largely mirrors the GDPR, which is not surprising. However, some unclear areas in the UK Data Protection Act (DPA) are not addressed. While acknowledging the broad exception for “effective immigration control,” the Commission accepts it based on its limiting conditions, though it remains to be seen whether the EDPB will agree.

The decisions then examine the UK’s redress and oversight mechanisms, citing the Information Commissioner’s Officer (ICO) as an effective body, despite it no longer being classified as “independent” under the DPA. The Commission highlights the ICO’s actions against companies like British Airways and Marriott, as well as its investigation into Cambridge Analytica, as evidence of its effectiveness. However, the ICO has faced criticism from some, particularly concerning its handling of real-time bidding, ad tech, and concerns about the process for lodging complaints against the ICO itself.

The decisions also address potential concerns about onward data transfers, especially regarding the UK’s potential involvement in trade agreements that could hinder data transfer. While the decisions detail the UK system, they don’t directly compare it with Schrems II requirements. Additionally, the decisions acknowledge safeguards for law enforcement data transfers despite the EDPB’s expressed concerns.

A significant concern surrounding the UK’s adequacy is the operation of its security and intelligence services, specifically regarding surveillance and national security. To address potential challenges arising from Schrems II and other surveillance rulings, the Commission dedicates considerable space to describing the UK’s arrangements in these areas. However, while outlining the principles governing interference with privacy and data protection rights, the decisions don’t delve into case law surrounding mass surveillance and bulk data collection, despite citing relevant cases. Instead, they focus on oversight mechanisms, formal controls, and the right to legal action.

In contrast, the EDPB clearly states that entirely indiscriminate data retention violates the principle of necessity, and both necessity and proportionality must be demonstrated, not just claimed. However, the Commission’s decision conducts a thorough review of the UK’s regime concerning the ICO’s powers and the processes under the Investigatory Powers Act (IPA). It concludes that any interference with fundamental rights for data transferred to the UK for law enforcement and national security will be limited to what’s strictly necessary. However, it doesn’t address the UK’s incomplete response to the Tele2/Watson ruling or potential illegalities within UK agencies, based on existing cases. Given the criticisms of the US system in Schrems II, this aspect of the decision might face challenges.

Finally, the decision uniquely sets a four-year validity period for the adequacy agreement, aiming to “future-proof” the arrangement. This time limit, absent in other adequacy decisions, could reflect concerns about the UK government’s future data protection plans. The EDPS suggests that any significant reduction in protection would hinder future adequacy findings, implying that backsliding is a concern.

What Next?

The Commission’s announcement of draft adequacy decisions for the UK was welcomed by the UK government, the ICO, and the industry. The decisions emphasized the strengths of the UK system, which is understandable given the need to demonstrate adequacy without requiring an exact replica of the GDPR and LED.

However, the EDPB’s opinion, due under Article 70 GDPR, holds weight. The decisions must also undergo comitology procedures, including submission to the Article 93 Committee and review by the European Parliament and Council.

Furthermore, challenges to the adequacy decision remain possible, particularly concerning national security and the extent of permissible state surveillance. While past challenges have come from privacy advocates, the European Parliament or individual regulatory authorities could also initiate legal action.

Adequacy Decisions – Update (June 30, 2021)

The European Union has formally adopted adequacy decisions for the UK. This decision, arriving just in time to avoid relying on Standard Contractual Terms and Binding Corporate Rules, has been well-received. However, it’s important to highlight two key points.

First, the agreement acknowledges that the UK’s current system, although not perfect, implements the GDPR and LED, making its recognition as adequate almost inevitable. The UK government’s emphasis on developing its own data policies, particularly those potentially weakening GDPR protections, is noteworthy in this context. The adequacy decision also relies on the UK’s continued adherence to the European Convention of Human Rights and the jurisdiction of the European Court of Human Rights.

Second, the agreement unusually includes a sunset clause, expiring after four years with the possibility of a Commission review during this time. Several points of concern are evident. For instance, data transfers for migration control are excluded from the adequacy agreement’s scope (though other mechanisms remain available), reflecting concerns about the immigration exemption. The agreement also includes monitoring mechanisms related to data protection practices, particularly focusing on instances where the ICO fails to ensure compliance or where public authorities interfere with individual rights beyond what is strictly necessary. These concerns appear to be directed at data sharing by public authorities and potential limitations on individual rights to facilitate data analytics.

These factors suggest that the adequacy agreement isn’t permanently settled. There are concerns, especially within the EU, about the UK government’s plans to potentially reduce data protection. It remains to be seen what actions will be taken by those outside the EU political framework. Despite attempts to address mass surveillance concerns within the agreement, legal challenges remain a possibility, calling into question whether the UK surveillance regime ultimately meets the adequacy standards outlined in Schrems I.

Barnard & Peers: chapter 26

Photo credit: By Christoph Scholz - EU Puzzle mit Grossbritannien (link to licence)