By: Dr Tristan Jenkinson
With a Brexit Trade and Cooperation deal now announced, topics such as fishing, free trade and the level playing field have dominated the headlines. There has been little coverage of the agreements and implications for data flows between the UK and EU. An interim agreement on data has been reached, but the future of these data flows still remains unclear.
In this article I discuss the issues which could have an effect on the continued flow of data from the EU to the UK, the agreement itself and the implications for the future.
The Importance of Data
The lack of headlines should not be seen as a reflection of the importance of EU-UK data flows. At the end of November, Elizabeth Denham (the UK Information Commissioner) wrote a letter to the Financial Times in which she highlights that:
“[t]he data market in the UK is the largest in Europe, and innovative use of personal data has driven growth in the digital economy, particularly over the past year. It is vital businesses do not take the flow of that data for granted”.
Under the General Data Protection Regulation (GDPR), data flows between EEA (European Economic Area) countries are automatically allowed. Transfers from the EEA to “third countries” (those countries outside of the EEA), are only allowed in certain circumstances.
When the United Kingdom was a member of the European Union (EU), it was also part of the EEA (which any EU member state is required to be). Therefore any data flows with other EU countries were automatically allowed.
The UK left the EU on 31 January 2020, but the transition period which was implemented allowed those data flows to continue until 31 December 2020.
If no further agreement had been made, when Big Ben chimed in the New Year at midnight on 31 December 2020, the UK would have become a third country and the transfer of personal data from any EU member state to the UK would have been far more complicated.
Third Countries and Data Flows
Articles 44 to 50 of the GDPR cover the transfer of data to third countries. Under the GDPR, there are only a few ways that data can be legally transferred from the EU to a third country.
- Where an adequacy decision is in place – The EU states that a specific country has data protection laws in place that offer adequate protection and so allows data transfers to that country. Examples of countries with adequacy decisions are Jersey, Guernsey, New Zealand and Switzerland (A full list can be found here)
- Where appropriate safeguards are in place – Only a few specific options are available. These include the use of Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs).
- Other limited specific situations, such as where consent has been provided, if the transfer is necessary for the performance of a contract or for public interest reasons.
The Agreement on Data Flows
The full text of the agreement on data flows has not yet been released, but the summary provided by the government states that the agreement includes a provision which extends the free flow of personal data between the UK and EU states for a maximum of six months, or until the EU reach an adequacy decision for the UK. It is reported that the six month period will be made up of a four month period with a two month extension which will automatically apply unless one of the parties objects.
This means that as things currently stand, EU-UK data flows will be authorised until 30 June 2021. The EU are currently assessing if the UK data protection laws are to be considered suitable. If the EU provides an adequacy decision (confirming that the UK protections are indeed adequate) and that decision is made by 31 June 20121, then data flows will be able to continue uninterrupted.
In a statement for the Information Commissioners Office (ICO), Elizabeth Denham said about the agreement “[t]his is the best possible outcome for UK organisations processing personal data from the EU” and announced that the relevant ICO guidance would be updated.
Although not yet ratified by the European or UK Parliaments, the Trade and Cooperation Agreement (including the agreement on data flows) will take effect, in a provisional capacity, on 1 January 2021.
However, things may not be as simple as they appear.
Will the UK Receive an Adequacy Decision?
On the face of it, the UK appear to have a history of strong data protection laws, including the implementation of the GDPR (which will be incorporated into UK law from the end of the transition period and will be used alongside the Data Protection Act 2018 – for example see here). It would therefore appear that an adequacy decision should be a fairly straight forward decision.
However, many suspect that this is not the case, and fear that an adequacy decision may not be forthcoming from the EU. For example, in a poll published by Data Protection Network 55% said that they did not think that the UK would be granted adequacy by the EU.
There are a number of reasons for this, discussed below.
The UK has suggested it wants to move away from GDPR
In September 2020, it was reported that Dominic Cummings was proposing a radical rewrite of the UK’s data protection laws. This followed a Government paper on the National Data Strategy which stated that:
“Under this strategy, data and data use are seen as opportunities to be embraced, rather than threats against which to be guarded”
“… It means maintaining a regulatory regime that is not overly burdensome for smaller businesses and that supports responsible innovation. It means driving a radical transformation of how the government understands and unlocks the value of its own data”
“… it means positioning the UK as a global champion of data use, and encouraging the international flow of information across borders.”
Dominic Cummings had previously stated his intentions to alter the UK’s approach to data protection, for example in a blog-post dated 27 April 2018 in which he stated:
“The GDPR legislation is horrific. One of the many advantages of Brexit is we will soon be able to bin such idiotic laws. We will be able to navigate between America’s poor protection of privacy and the EU’s hostility to technology and entrepreneurs”
Suggestions of a major divergence from the GDPR raised red flags to those at the EU who were considering if the data protection laws in place for the UK were adequate.
Since Dominic Cummings’ exit from his role as Boris Johnson’s chief advisor, there may be less risk of such a divergence from the GDPR occurring, though the National Data Strategy remains online.
The draft text of the Brexit Agreement that has been released by the EU has a section covering a number of requirements with regard to data protection (Article LAW.GEN.4 on Page 283) and the Trade and Cooperation Agreement “Brochure” published by the EU confirms that:
“[t]he Agreement also includes a commitment by the EU and UK to uphold high levels of data protection standards. This will be ascertained by adequacy decisions taken unilaterally by each side”
This is in addition to a statement on the Government website which states:
“The UK has and will maintain high standards of protection for personal data which includes, at the point the Transition Period ends, the same regulatory framework for data protection as the EU and therefore is clearly essentially equivalent to the EU on data protection”
Concerns about a change in approach to data protection may therefore not be as significant as it originally appeared.
There are, however, at least two further major issues to consider.
In their September article about potential divergence from the GDPR, The Guardian reported that EU officials had identified two key issues which may prevent the UK from receiving an adequacy decision. These were the onward flow of data (specifically to the US) and the use of data by the UK Intelligence Services.
The first concern is with regard to where data may be sent to (or shared with) after it is received in the UK. A particular concern relates to the transfer of data to the US. This concern may stem from a combination of the “Access to Electronic Data for the Purpose of Countering Serious Crime” data sharing agreement between the UK and US which came into force in February 2020 (which White & Case have written about here) and the judgment in the Schrems II case which, in part, highlights issues with EU citizens’ data being transferred to the US without their consent.
The draft Trade and Cooperation text issued by the EU states that the parties agree that “onward transfers to a third country are allowed only subject to conditions and safeguards appropriate to the transfer ensuring that the level of protection is not undermined”. This may help to quell concerns over the further transfer of data, however, it is not clear if the EU will consider that this is enough, or if the UK may choose a softer interpretation of the wording than the EU would like.
The Investigatory Powers Act
The biggest challenge to the UK receiving an adequacy decision is likely to be the use of personal data by the UK Intelligence Services, and specifically the Investigatory Powers Act.
The Investigatory Powers Act 2016 was dubbed “The Snoopers Charter” by the media. At the core of the Investigatory Powers Act is a section that requires internet providers to store a record of users’ internet connections for a period of one year, which can then be requested by police or security services.
In October 2020, the Court of Justice of the European Union ruled that the Investigatory Powers Act (and other similar laws in Belgium and France) were not compatible with EU law. A copy of the judgment can be found here.
The ruling raised concerns – if UK laws relating to mass surveillance were against EU law, could the UK be seen to offer “essentially equivalent” protection to EU citizens’ in the EU? If the EU decide that the answer is negative, then an adequacy decision would seem unlikely.
It is worthy of note that the ruling with regard to the Investigatory Powers Act was not a one off – the Act was brought in (at least in part) to address previous issues with mass surveillance. In 2018 the European Court of Human Rights found that the mass surveillance carried out by the UK Government Communications Headquarters (GCHQ) was in breach of privacy laws.
The mass surveillance operation was reported by whistle blower Edward Snowden in 2013 and included the bulk interception of communications under an operation codenamed “Tempora”. More can be read here.
A Further Adequacy Concern?
The issues with the Investigatory Powers Act and how it could impact an adequacy decision do not end there. There may also be considerations in relation to the judgment in the Schrems II case.
This was a ruling by the Court of Justice of the European Union that the mechanism for transfer of data between the EU and US (known as Privacy Shield) was invalid and could no longer be used.
One of the main reasons that the US were not considered to offer “essentially equivalent” level of protection was due to their mass surveillance programs. If mass surveillance was the reason for transfers to the US to be deemed inadequate, could the UK be deemed adequate if they too have mass surveillance systems in place which are deemed to be incompatible with EU law?
What Next if No Adequacy Decision is Provided
The situation after 30 June 2021 becomes far less clear if the EU decide not to issue an adequacy decision.
It is possible that many data flows from the EU to the UK could rely on Standard Contractual Clauses (SCCs). The ICO identify that “SCCs are one of a number of safeguards which can be used to comply [with the GDPR], and the one most likely to be appropriate for small and medium-sized businesses”.
However, as reported by the European Parliament, as a result of the Schrems II judgment, controllers or processors seeking to rely on SCCs for data transfers “must ensure that the data subject is granted a level of protection essentially equivalent to that guaranteed by the General Data Protection Regulation”. This again raises the question of equivalence of protection, and could be contested based on the above.
The agreement on trade and cooperation between the UK and EU allows for an additional 6 months of data flows between the EU and UK. In the meantime, the EU will consider if the UK offers an adequate level of protection and should therefore be provided with an adequacy decision under the GDPR.
If an adequacy decision is granted, and this is provided before the end of June 2021, then data flows between the EU and UK can continue uninterrupted.
If the UK does not receive an adequacy decision, or no decision is made by 30 June 2021, then data flows from the EU to the UK could face difficulties under the GDPR from 1 July 2021 onwards.