Post-Privacy Shield, what chance for a Brexit data adequacy deal?

Surveillance laws

As Computer Weekly reported last week, Kahn and Treacy are not alone in this assessment. Daniel Tozer, head of data and technology at law firm Harbottle & Lewis, also said the judgment raised questions over the ability of organisations to easily move data between the EU and the UK, especially given the state of the UK’s surveillance laws and its membership of Five Eyes, the anglophone intelligence-sharing alliance that also includes Australia, Canada, New Zealand and the US.

Open Rights Group executive director Jim Killock, meanwhile, said it was inevitable the UK’s surveillance regime will now be questioned following the judgment, because Europe had made it clear that it has rejected Privacy Shield precisely over surveillance concerns.

Treacy said that prior to the UK leaving the EU, national security and surveillance was not an area that fell within the competence of the EU, but that would clearly change after the Brexit transition period ends.

“Once we leave the EU, then those laws are subject to scrutiny and assessment, as we’ve seen with the US in the context of Privacy Shield,” she said. “That is something that has already been flagged as a potential hurdle for the UK in the context of an adequacy assessment.

“It’s interesting, too, with some of the comments that have been made on the judgment, thinking about those and the broader context because, of course, the US and the UK are members of the Five Eyes framework and two other countries that have been assessed as adequate are New Zealand and Canada. It will be interesting to see whether in fact this is then reopened and whether any of those countries are subject to additional scrutiny.”

It might also be considered something of an irony that the EU has no say over the surveillance laws that its members enact, so there may be countries in the EU that have far more stringent surveillance laws than the UK, opening up the possibility that, technically, EU citizen data could be safer held in the UK than in a member state that had, for example, enacted unfair surveillance legislation, or compromised the independence of its judiciary.

Beyond GDPR

Treacy noted that the UK clearly aimed to be assessed as an adequate jurisdiction from a data protection standpoint, and this could be seen in some of the strategic decisions taken in relation to the 2018 Data Protection Act, which goes beyond what is required by the General Data Protection Regulation (GDPR) alone.

“We’ve sought to have very consistent and actually, in some respects, more extensive data protection law here than in the EU and obviously that’s done with a view to helping that adequacy assessment,” she said.

“An important point to note is that this judgment is going to be part of UK law, so we will continue to need to take note of it, and we will need to comply with what it requires even after we have left the EU, because it will be part of our law.”

Treacy argued that given these factors, plus others such as the independence of the UK’s legal system and its data protection regulators, and the fact that individuals have rights and access to legal redress, the UK ticks a lot of boxes.

“The big unknown is how our surveillance laws would be assessed,” she said. “At the end of the day – and you see this too with the Privacy Shield negotiations – it’s not just a purely objective assessment – there will be other factors that will be discussed and taken into account as well, and it’s not always clear exactly what they are.”

What to do next

As we wait for an outcome either way, it is sensible for organisations to prepare for the eventual decision on data adequacy to go against the UK, and Segment’s Kahn said it is worth considering this today.

“Recent ICO statements confirm that UK businesses can continue to rely on Privacy Shield for now – a clear indication that the UK wishes to set itself apart from the EU in its approach,” he said. “On the plus side, that means British businesses can probably expect a more straightforward path to transatlantic data transfers after the transition period. With the EU, however, things just became a lot more complicated.

“No matter the outcome for the UK, the ECJ ruling makes clear that businesses need to know exactly what data they have, where it came from, and how it’s flowing through their systems and services. Doing the bare minimum to honour privacy rights is no longer enough at an ethical level – and in an age of regulatory uncertainty, it’s also an unwise move in terms of future compliance.”

There are several things that UK-based organisations can do right away to put themselves in the best possible position going forward, said Hannah Ife, an associate at JMW Solicitors. The first step is to review personal data flows into and out of the EEA, identify key mechanisms relied on for transferring personal data, paying particular regard to standard contractual clauses (SCCs), which may need revision should the EU release new ones.

Multinationals should think about how they use any current EEA-approved binding corporate rules for transfers in and out of the UK, and update them to reflect the UK’s new status as a third country.

Ife also advised updating documentation and privacy notices to cover UK-EEA data transfers under UK adequacy regulations, and if you also transfer data from the US, to check that whoever you transfer data to there has made the required updates to their commitment to comply with Privacy Shield.

UK-based data controllers that have no offices in the EEA but transfer data on European citizens there should also consider appointing a local European representative under Section 27 of the GDPR – and the reverse holds true for European controllers transferring data on UK citizens.

Finally, said Ife, organisations will need to review privacy notices, data protection impact assessments (DPIAs) and other documentation to include updated references to EU law, UK-EU data transfers, and so on.