The Trade and Cooperation Agreement (“TCA”) agreed on 24 December 2020 (and still to be ratified by the European Parliament), includes interim provisions for continuing unrestricted transmission of personal data from the European Union (“EU”) to the United Kingdom (“UK”) until 1 May, with a possible extension until 1 July 2021. Now that it has left the EU the UK is a ‘third country’ and must demonstrate an adequate level of personal data protection, in accordance with article 45 of the General Data Protection Regulation (“GDPR”), to allow trouble free cross-border transfers of personal data from the EU to continue. The EU Commission has recently launched the process that may lead to the adoption of an adequacy decision in respect of the UK legal regime for the protection of personal data. For transfers in the opposite direction, the UK government has stated that transfers of data from the UK to the EEA are permitted, although it says it will keep this under review).
The GDPR and the UK – setting the Scene
As it was an operative EU Regulation the GDPR was included as UK domestic law from exit day (31 January 2020) by section 3 of the (UK) Withdrawal Act. Secondary legislation, the prosaically named ‘Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019’ (“DPPExitRegs19”), came into force on exit day. The DPPExitRegs19 amend the main pre-existing national legal instrument, the Data Protection Act 2018 (“DPA18”) to remove all references to EU Institutions and bring a ‘UK GDPR’ into existence.
Schrems I and II
The two Schrems judgments of the Court of Justice of the European Union (“CJEU”) clarify that the basis for granting an Adequacy Decision is ‘essential equivalence’. By reference to last year’s Schrems II judgment, the EU Commission identifies the guiding principles under which Government access to personal data transferred to the UK would fulfil the ‘essential equivalence’ test. These were published in its draft adequacy Decision on 19 February 2021.
The ‘guiding principles’ include that:
• Any limitation to the right to the protection of personal data must be provided for by law and the law permitting such interference must itself define the scope of the limitation of the exercise of the right concerned.
• The legislation must be legally binding under domestic law and the legal requirements must also be enforceable against the authorities of the third country in question.
• In particular, data subjects must have the possibility of bringing legal action before an independent and impartial court in order to have access to their personal data, or to obtain the rectification or erasure of such data.
General Legal Framework
In making its assessment of the UK’s compliance with the guiding principles mentioned above, the EU Commission has referred itself in particular to the general legal framework applicable in the UK and its relationship to international legal standards. Specifically, it takes into account that the UK has ratified the European Convention on Human Rights (“ECHR”) and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”). It also recognises that the UK signed the Protocol (known as Convention 108+) amending and updating Convention 108, in 2018.
EU Commission conclusions regarding Government access
The EU Commission concludes that through membership of the Council of Europe, adherence to the ECHR and submission to the jurisdiction of the European Court of Human Rights in Strasbourg (not to be confused with the Court of Justice of the European Union (“CJEU”), in Luxembourg), the UK’s arrangements for Government access are subject to principles, safeguards and individual rights similar to those guaranteed under EU law and applicable in the EU the Member States.
The EU Commission re-emphasises that continued adherence to such international instruments is a particularly important element of the assessment on which its (draft) Decision is based. The CJEU considered the lack of an independent procedure for judicial review under the Ombudsperson mechanism to be a fundamental flaw of the EU Commission’s Privacy Shield adequacy Decision.
Any adequacy decision is likely to be adopted on the basis of this static analysis of the UK’s legal framework concerning human rights and independent judicial review, notwithstanding the fact that the framework is likely to change. The UK Government is reviewing the 1998 Human Rights Act, which implements the ECHR in UK Law. The 2019 Conservative Party Manifesto says:
“We will update the Human Rights Act and administrative law to ensure that there is a proper balance between the rights of individuals, our vital national security and effective government. We will ensure that judicial review is available to protect the rights of the individuals against an overbearing state, while ensuring that it is not abused to conduct politics by another means or to create needless delays”.
UK Government Reviews
In fact two Government reviews have been set up. The first, an Independent Review of Administrative Law (“IRAL”) was launched in July 2020 to consider options for reform to the process of Judicial Review. The second, launched by the Government on 7 December 2020 is an Independent Human Rights Act Review (“IHRAR”). The IRAL was due to report at the end of 2020 but its report has been delayed. The IHRAR is due to report in the summer of 2021.
Recent Government statements show the UK’s future intention to diverge from GDPR
In an article for the Financial Times on 27 February, the UK government minister for Digital, Culture, Media and Sport, Oliver Dowden, launched the recruitment process to find the UK’s next Information Commissioner and explained a new approach to sharing data “quickly, efficiently and responsibly for the public good”.
He commented that:
“The EU doesn’t hold the monopoly on data protection”. “So, having come a long way in learning how to manage data risks, the UK is going to start making more of the opportunities”. (…) “Right now, too many businesses and organisations are reluctant to use data — either because they don’t understand the rules, or are afraid of inadvertently breaking them. That has hampered innovation and the improvement of public services, and prevented scientists from making new discoveries”. (…) “The next Information Commissioner will not just be asked to focus on privacy, but also be empowered to ensure people can use data to achieve economic and social goals”.
The current Prospects
The EU Commission has responded to concerns over the future of data adequacy in the UK by pointing out that an adequacy decision would be subject to review after an initial four-year period.
Commissioner Věra Jourová, EU Commission Vice-President for values and transparency, stated when the draft adequacy decision was published, that:
“Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel. The UK has left the EU, but not the European privacy family. At the same time, we should ensure that our decision will stand the test of time. This is why we included clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development of the UK system after the adequacy would be granted.” (Emphasis added)
• Unfinished business from the UK-EU Exit negotiations is continuing as regards EU-to-UK personal data transfers.
• Hopefully, for commerce and in the interests of their respective citizens, the wider tensions that also remain (notably in respect of the Ireland Northern Ireland Protocol) will not have a negative impact on the proposed personal data adequacy Decision.
• However, there certainly are signs that both the UK and the EU are using the December 2020 Trade and Cooperation Agreement in a confrontational manner rather treating it as a platform that can be built upon.
• Accordingly, it may well be prudent for businesses to look at other means to ensure continuing EU/UK data flows, including the use of the new EU Standard Contractual Clauses. Following the joint (European Data Protection Board / European Data Protection Supervisor) Opinions of 14 January 2021, they should be available for use shortly.
• For larger companies, putting in place Binding Corporate Rules under Article 47 GDPR remains an important option.
+32 2 274 51 88
Avenue des Arts 46, 1000 Brussels, Belgium
+32 2 274 51 80
Disclaimer: This general memorandum may not deal with every important topic or cover all important aspects of the subject matter. It is not intended, and should not be used, as a substitute for seeking appropriate legal advice on specific questions.