Adequacy decision and Brexit
In the digital age, international transfers of personal data are crucial for business operation, however transfers of personal data from the EEA to the UK may face obstacles after the Brexit transition period.
Under the General Data Protection Regulations (‘GDPR’), international transfers of personal data outside the EEA are restricted unless adequate safeguards are put in place. One of the permitted safeguards is for organisations in the EEA to transfer personal data to a third country that has received an ‘adequacy decision’ from the European Commission, which certifies that the relevant country provides a level of protection of personal data substantively similar to that of the GDPR.
The UK government is therefore keen to obtain an adequacy decision before the end of the Brexit transition period to prevent disruptions to businesses and to permit the free flow of data between the UK and EU to continue. In March, the Department for Digital, Culture, Media & Sport published an explanatory framework which sets out the UK’s data protection legal framework and argues that the UK upholds a high standard of data protection in compliance with GDPR.
The European Data Protection Supervisor (‘EDPS’) previously also commented in its Opinion on the opening of negotiations for a new partnership between the UK and the EU (the ‘Opinion’) that the UK may benefit from its status as a previous EU Member State and its current compliance with GDPR. However, the EDPS was also concerned with the UK’s potential repeal of the Human Rights Act 1998 and emphasised that future regulatory developments in the UK will need to be regularly monitored by the Commission.
UK-US electronic data sharing agreement - a new obstacle to an adequacy decision for the UK?
A recent letter from the Chair of the European Data Protection Board (‘EDPB’) indicates that the EDPB is now also concerned with the Agreement between the UK and US on Access to Electronic Data for the Purpose of Countering Serious Crime (the ‘Agreement’). The Agreement is intended to allow law enforcement authorities of both countries to request access to electronic evidence, including personal data, held by relevant businesses based in the other country, for the purpose of preventing and prosecuting serious crime. The arrangement is expected to run in parallel with the existing mutual legal assistance regime, which has been criticised for being slow and inefficient. In the US, the bilateral agreement is implemented through the Clarifying Lawful Overseas Use of Data Act (the ‘CLOUD Act’).
Having carried out a preliminary review of the wording of the Agreement and the CLOUD Act, the EDPB expressed its concerns in relation to the following issues:
- in the event of conflict between the Agreement and the CLOUD Act, especially in relation to data protection, it is not evident that the Agreement will prevail. In comparison, the Chair of the EDPB noted that the EU and the US are also negotiating an equivalent agreement to facilitate the sharing of electronic data and that the EU-US agreement must prevail over US domestic laws, especially in relation to regulations on onward transfers of personal data.
- it is, in the eyes of the EDPB, essential that requests made under the Agreement and the CLOUD Act are subject to mandatory prior judicial authorisations. Whilst the Agreement does indicate that requests made under the Agreement are subject to the “application of domestic law”, the EDPB considers the wording is not sufficient clear.
- the concerns of the EDPB in relation to the Agreement will need to be taken into account by the European Commission in its assessment of the UK’s adequacy decision application.
Implications of Schrems II on the UK’s adequacy decision
In the much anticipated Schrems II judgment (which we discussed here), the Court of Justice of the European Union (‘CJEU’) held that the EU-US Privacy Shield is invalid under EU law due to the intrusive nature of surveillance programmes undertaken by the US government and intelligence agencies, and the limited ability of non-US citizens to challenge the US government processing their data in this manner.
The court further held that when parties rely on the standard contractual clauses (‘SCC’) to transfer personal data, parties should verify whether in practice the data importer is likely to comply with its obligations under the SCC, taking into account the right of the local public authorities to access the personal data transferred and the judicial redress available to the data subjects. Where the data importer is unlikely to comply with the SCC, the parties must suspend the data transfer.
It is clear from the Schrems II judgment that the CJEU considers the following factors crucial when assessing a country’s level of protection of personal data:
- the extent of which a country’s law enforcement and public authorities can access citizen data, and
- the associated judicial control over the public authorities’ power.
Since the US surveillance programmes considered in Schrems II are already considered intrusive by the EU in respect of data protection, if the UK’s data sharing agreement with the US does not address the concerns of the EDPB as set out above, it may become questionable as to whether the UK would be granted an adequacy decision.
Previously, it was hoped that even if the UK failed to secure an adequacy decision in time, EEA businesses could still rely on the SCCs to transfer personal data lawfully under GDPR. However, the Schrems II judgment means that where the root cause of the lack or suspension of an adequacy decision is a third country’s lack of protection on onward transfers of personal data, the SCCs may not be a suitable alternative, especially for data importers who are regularly subject to requests of access to data by state authorities.
What does this mean for businesses?
In light of the EDPB’s letter and the Schrems II decision, there is increasing risk that the UK may not obtain its adequacy decision prior to the end of the Brexit transition period. The conditional application of the SCCs also means that some EEA businesses may have to rely on binding corporate rules and GDPR exemptions to transfer data to the UK after the Brexit transition period, unless and until the UK addresses the concerns of the EDPB and the EDPS.
In addition, the US is not the only jurisdiction where local surveillance law is controversial. Subject to further regulatory guidance, Schrems II may have opened a new era where businesses must stay vigilant and undertake their own assessment to understand the data protection regimes of the non-EEA countries to which they transfer personal data. We expect that national data protection authorities will provide more guidance on how such assessment may be carried out.
If you need assistance in dealing with data protection issues and preparation for the Brexit transition period, please contact David Varney.