EU: Data flows post-Brexit - Choppy waters ahead?
An important cross-cutting factor for trade between the UK and the EU after Brexit is the transfer of data. However, the UK’s lead negotiator, Lord Frost, recently stated that discussions on this topic had “gone a bit more slowly than we thought”, partly as a result of the CJEU’s decision in Schrems II and Privacy International.
We consider why these judgments have complicated the adequacy process and the challenges for data transfers in the absence of adequacy.
The General Data Protection Regulation (GDPR) contains a restriction on transfers of personal data to third countries. There is a number of exceptions to this restriction but for many transfers the only practical solutions are:
- a finding by the EU Commission that the third country has adequate data protection laws, known as an adequacy finding; or
- the use of Standard Contractual Clauses. These are a template contract prepared by the EU Commission.
Once Brexit takes place, the UK becomes a third country for the purposes of the GDPR. This does not create a problem for transfers of personal data from the UK to the EU, as the UK has unilaterally recognised the EU as providing adequate protection for personal data. However, the position is not the same for transfers from the EU to the UK. These must still comply with the strict rules within the GDPR.
This is an important issue. In practice, it is often impossible to untangle personal data from other forms of data meaning that the GDPR risks creating a de facto barrier to all data transfers. Moreover, data transfers are of vital importance to our modern interconnected economy. They underpin not only information technology services, but also financial services and, increasingly, manufacturing given the rise in connected devices.
Challenges to adequacy
The optimum solution would be a finding by the EU Commission that the UK provides adequate protection for personal data.
On the face of it, this is an obvious conclusion. The UK will incorporate the GDPR into domestic law after Brexit meaning that its data protection laws are not just “essentially equivalent” to the GDPR but identical in all material respects.
However, the position in practice is more complicated. As the UK will be a third country, the EU Commission’s must consider not just domestic data protection laws but also wider factors. Accordingly, the process is likely to be going “more slowly” than expected due to some or all of the following factors:
- Government surveillance: The EU Commission’s adequacy assessment must consider national security and law enforcement powers. In the UK, this means an assessment of the Investigatory Powers Act 2016 which, on the face of it contains some fairly extensive powers including the ability to carry out bulk communication data acquisition, bulk interception and bulk computer hacking. However, these powers are tightly constrained through, amongst other things, an express statutory requirement for proportionality and strict limitations on the purposes for which they can be exercised. Added to that is independent judicial ex ante approval, and ex post supervision, through the Investigatory Powers Commissioner.
- Impact of Privacy International: In contrast, the judgement in Privacy International (C-623/17) considered the now repealed section 94 of the Telecommunications Act 1984. This relic of the 1980s was a dark secret in telecoms circles for many years. It allowed the Secretary of State to issue directions to telecoms operators where it appeared to be necessary for the purposes of national security or international relations. Directions could be issued in secret with no real oversight or accountability so it is no surprise their historic use to conduct bulk communications data acquisition was “general and indiscriminate” and so a breach of EU law. However, the CJEU issued another judgment on the same day (La Quadrature du Net, C-520/18, C-511/18 and C-512/18) that suggests more flexibility about the use of bulk powers noting that where appropriate safeguards are in place they may well be justified for a limited amount of time where a State is facing a serious national security threat that is genuine or foreseeable. Whether that flexibility extends to the Investigatory Powers Act 2016 remains to be seen. Much here may depend on whether the discretionary framework created under that Act, which relies heavily on the statutory requirement for proportionality and judicial approval, is sufficient or if specific protections need to be “hard coded” into the law.
- The implementation of the GDPR: Another concern is the UK implementation of the GDPR, which will be carried over post-Brexit. While the GDPR will be directly incorporated into UK law after Brexit with only minimal amendments, the accompanying UK Data Protection Act 2018 exercises a variety of derogations to the GDPR. One particular bone of contention is the immigration exception in paragraph 4 of Schedule 2 of that Act (e.g. see discussion here). Amongst other things, this allows personal data to be withheld in response to subject access requests where disclosure would prejudice immigration control. The High Court dismissed a challenge to this exception, mainly on the basis that it only applies in the limited situations in which prejudice arises (R (Open Rights Group & the3million) v Secretary of State for the Home Department  EWHC 2562). Given this conclusion it is difficult to see why this would be a serious barrier to an adequacy finding.
- Lack of enforcement by the Information Commissioner: Similarly, objections have been raised to an adequacy finding on the basis that the Information Commissioner is not an “effectively functioning” supervisory authority, largely because of the lack of enforcement action in relation to Adtech (see here). The Information Commissioner’s enforcement record under the GDPR is still a bit mixed with only three fines under the GDPR to date but it has taken a range of other regulatory action and it remains one of the largest and best funded data protection regulators in Europe. There has also been limited enforcement by other EU regulators against the core Adtech market, with the exception of recent action by the Belgian regulator, so this should not be a barrier to an adequacy finding.
- Potential reforms to UK data protection laws: A further potential issue is reforms to UK data protection laws. The UK Government has published a consultation on its National Data Strategy which it describes as “an ambitious, pro-growth strategy that aims to drive the UK in building a world-leading data economy while ensuring public trust in data use” (here). This could lead to changes to the UK data protection laws, which might be limited or transformational. However, any significant changes will take some time and refusing adequacy simply because the UK might change its data protection laws at some point in the future seems difficult to justify.
- Onward transfers to the US and elsewhere: One issue in the UK’s National Data Strategy that is potentially more difficult is the strong emphasis on freeing up cross-border dataflows. For example, if the UK were to remove all restrictions on the transfer of personal data to third countries not currently recognised as adequate by the EU, such as the US, that would likely concern the EU Commission.
- Rule of law and human rights: Finally, the assessment will include an assessment of the rule of law in the UK. The UK has a proud history of upholding the rule law and a strong and independent judiciary. It has also incorporated human rights into UK law through the Human Rights Act 1998. However, recent developments in the UK, in particular in relation to the Internal Markets Bill, are unhelpful.
The adequacy assessment thus requires the EU Commission to assess a range of factors. While there are good arguments that the UK should receive an adequacy finding, this is not a certainty.
Importantly, this is not entirely within the EU Commission’s gift. The EU Commission will have to follow the process in Article 93(2) of the GDPR and must: (i) seek an opinion from the European Data Protection Board on any positive adequacy finding; (ii) seek approval of a committee composed of representatives of the Member States under the comitology process; and (iii) make the draft decision available to the EU Parliament and Council.
The EU Commission will also be aware that if adequacy is granted, that finding could itself be subject to challenge in the CJEU, albeit judgment on this issue is likely to take several years.
Impact of the (potential) EU-UK trade deal
In theory, the adequacy process is autonomous from any wider discussions about an EU-UK trade deal. This reflects the legal process for making an adequacy finding (discussed above) and the fact data protection is a fundamental right under the EU Charter of Fundamental Rights.
In practice, the two are likely to be closely tied together. If trade talks end acrimoniously, it seems unlikely that any adequacy finding will be forthcoming (or indeed that UK institutions will be encouraged to act in a way that seeks to close any adequacy gaps, for example in the direction of the ICO’s enforcement). In contrast, if the UK and EU agree anything more than a “super skinny” trade deal it seems likely that it will be accompanied by an adequacy finding, not least because data flows are vital to support the cross border trade envisaged by that deal.
Transfers in the absence of adequacy
There is no certainty the UK will get an adequacy finding so businesses should take steps to ensure that transfers from the EU to the UK can continue after Brexit. While there are a number of different justifications for those transfers, in many cases the only practical option is Standard Contractual Clauses (SCCs).
This means businesses should identify all transfers of personal data from the EU to the UK and take steps to document them using SCCs (with those SCCs either made conditional on the UK not being granted adequacy or only signed in such an eventuality). Given years of deep integration between the EU and UK, identifying all these data transfers may not be a straightforward task.
Following the CJEU’s decision in Schrems II (C‑311/18) exporters in the EU must also assess the risks for any transfer on a case-by-case basis – likely to be through a so-called transfer impact assessment (“TIA”). This TIA will include the broad assessment of the data protection framework within the UK, which raise similar issues to the adequacy process, discussed above.
However, while an adequacy finding is generically applicable to all data transfers, the TIA is specific to the actual data being transferred. This means in some cases it will be relatively easy to conclude that the personal data being transferred will be sufficiently protected regardless of the wider position on adequacy. In particular:
- Encryption: If the data being transferred is subject to secure end-to-end encryption that will likely protect it from interception by the UK national security or law enforcement agencies. While the Investigatory Powers Act 2016 does give the Government the powers to issue a Technical Capability Notice to require a telecoms provider to remove any encryption, that is limited to encryption applied by the telecoms provider itself. Similarly, the decryption powers in Part 3 of the Regulation of Investigatory Powers Act 2000 can only be used in limited cases, such as prevention or detection of crime, and national security, and are only rarely used in practice.
- Data specific risk: The assessment should reflect the actual data being transferred. Given the restrictions on circumstances in which the UK Government’s investigatory powers can be used, such as the general proportionality requirement and restricted list of statutory purposes in the Investigatory Powers Act, it is likely to be possible to conclude the risk of vanilla commercial data (containing personal data) being acquired and/or used by the UK law enforcement and national security agencies is very limited.
In practice – Castle wall or moat?
Notwithstanding these conclusions, in the absence of adequacy there are likely to be choppy waters ahead.
This is partly because there will be no centralised process to assess transfers of personal data to the UK and no single universal conclusion. Each data exporter will have to consider if the transfer is permitted based on the particular circumstances of the transfer and the guidance from their local regulator. Given the widely divergent approaches taken by EU regulators in respect of transfers to the USA after Schrems II, it is likely that some EU regulators will take a conservative view of transfers to the UK after Brexit.
Put differently, the rules on transborder data flow in the GDPR are not a digital castle wall selectively permitting some transfers and denying others with absolute certainty. Instead, they are an analogue moat for exporters to swim through. In the vast majority of cases, standard contractual clauses and a robust transfer impact assessment should ensure a safe crossing, but some EU exporters might still keep their data safe and dry within the EU.
By Georgina Kon and Richard Cumbley