Delphotostock - Fotolia
Last month, the UK and the European Union (EU) put in a place a short-term agreement as part of the Brexit deal to allow for the continued free flow of data, which supports more than £100bn in trade. But data protection experts have already raised concerns about the legitimacy of those arrangements – and are divided over what happens next.
Under the EU-UK Trade and Cooperation Agreement (TCA) – which was agreed by negotiators on 24 December 2020 and provisionally applicable since 1 January 2021 – the transmission of personal data from the EU to the UK “shall not be considered as a transfer to a third country under Union law”.
As far as transfers of personal data from the EU to the UK are concerned, the UK will essentially be treated, for an ostensibly limited amount of time and subject to certain conditions, as if it were still a member state.
These conditions include that the UK does not exercise certain “designated powers”, such as those granted under the EU Exit Regulations that allow British ministers to determine or revoke data adequacy decisions through the use of a statutory instrument, which would automatically bring an end to the specified period if used without the agreement of the EU.
In an article first published by LexisNexis on 29 December 2020, director of Fieldfisher’s privacy and information law group, Eleonor Duhs, wrote that the continued free flow of data is “particularly welcome”, especially in the context of recent research that “showed the cost of having to put alternative transfer mechanisms in place could have cost UK businesses £1.6bn”.
She added that “the agreement creates a ‘bridging mechanism’ to enable the free flow of data until adequacy decisions” can be made, which determines whether a country outside the EU offers an adequate level of data protection and therefore whether data can be shared with it.
Without this adequacy, she said, “substantial extra compliance burdens would arise for EU businesses which transfer data to the UK, at a time when many can ill afford it”.
However, according to a blog post published on 2 January by Douwe Korff – an emeritus professor of international law at London Metropolitan University who specialises in human rights and data protection – the temporary nature of the UK’s essentially adequate status under the TCA is a “legal fiction”, and the European Parliament should remove the article that allows it on the basis it “fundamentally undermines” the bloc’s data protection laws.
This is because, he said, under the General Data Protection Regulation (GDPR), personal data may only be freely transferred across borders either between member states or between member states to a third country that has been deemed to have an “adequate” level of data protection by the European Commission (EC).
While personal data transfers can still take place to non-adequate third countries if there are appropriate safeguards in place, such as standard contractual clauses (SCCs), Korff said: “There are no other kinds of cross-border transfers of personal data conceived of in EU data protection law (or in the Treaties).”
According to Korff, the TCA article in question, titled FINPROV.10A, “drives a horse and cart through this by pretending that (for the specified period and subject to the specified conditions) transfers of personal data to the UK are not ‘transfers to a third country’.”
“It does so without any actual assessment of the UK data protection regime as it will apply from 1 January 2021, and without following the process for adequacy decisions,” he added.
It should be noted that in July 2020, a landmark ruling by the European Court of Justice (CJEU) that struck down the US-EU Privacy Shield data sharing agreement also cast doubt on the legality of using SCCs as the basis for international data transfers.
It found that although they were legally valid, companies still have a responsibility to ensure that those they share data with grant privacy protections equivalent to those contained in EU law.
According to Max Schrems, the founder of noyb.eu, who filed the original complaint against Facebook in 2013 that led to the CJEU’s decision (colloquially known as Schrems II), there is a legal conflict between what the GDPR and the treaty say.
“We are not sure how this is to be interpreted and are right now taking a deeper look. In reality, the periods are so short that any litigation would, in any case, take longer than just waiting until these provisions lapse,” he said.
Will adequacy be granted?
Tweeting on 24 December 2020 after the TCA was agreed, UK digital secretary Oliver Dowden wrote: “We have agreed to continue free flow of data between EU/EEA/EFTA & UK while EU completes its approval process for adequacy decisions. This arrangement will be time limited. UK will have full autonomy over its data rules from 1 January.”
However, according to Korff, the conditions for the special treatment of the UK wholly fail to address “existing deficiencies” in its data protection regime – such as the divergence between the definition of personal data in the GDPR and the UK’s 2017 Digital Economy Act – and ignores the mass surveillance it has been proven to carry out, which was done “under legal rules that manifestly fail to meet the conditions set by the Court of Justice of the EU in Schrems II and in the EDPB’s [European Board of Data Protection’s] European Essential Safeguards for surveillance”.
Douwe Korff, London Metropolitan University
Therefore, while there is a strong assumption that adequacy will be granted in both the text of FINPROV.10A and the statement by Dowden, Korff claimed that “the UK cannot and should not be granted a positive adequacy decision unless” the above issues, among others, are dealt with.
“For the next few months, but possibly for much longer, the TCA effectively bypasses the GDPR process altogether, with an outcome that puts the UK in a better position than other countries considered for adequacy, in that the UK’s surveillance activities – unlike those of other third countries, including the US – are left conveniently out of consideration,” he said.
“The UK will have to choose: it either brings its law and practices in line with the European minimum standards… [so it] can then enjoy free data exchanges with the EU, or it will have to face and accept the negative consequences of not providing ‘essentially equivalent’ protection to personal data as are guaranteed in the EU,” he added.
Duhs, however, said there was no suggestion that the UK might be intending to lower its data protection standards, pointing to the TCA’s statement that both the UK and the EU “affirm their commitment to ensuring a high level of personal data protection” and a willingness “to work together to promote high international standards”.
She added that, as a departing member state, to suggest the UK is not adequate would set the bar for data adequacy “impossibly high”.
“It could create substantial difficulties for the EU in conferring new adequacy decisions (for example, on South Korea or on certified US companies under any replacement for Privacy Shield). It could also prove a barrier to continuing existing adequacy decisions,” she said.
“The burden of transferring data to third countries in the absence of an adequacy decision has increased following the Schrems II case. For example, transfer impact assessments require companies to conduct ‘mini adequacy assessments’ of countries to which data is transferred, using the same criteria as the European Commission when conferring adequacy decisions.
“These are complex considerations and particularly difficult for SMEs [small and medium-sized enterprises] to comply with. Adequacy for the UK means that this work does not have to be done.”
The partnership council
While the TCA article only applies for “the specified period”, which ends on either the date of the EU granting adequacy or four to six months after 1 January (whichever comes first), Korff said it could be “extended by the EU and the UK at will”, essentially kicking the problem down the road.
This is because other provisions in the TCA establish a Partnership Council, which will be comprised of co-chairs from the EU and UK and take its decisions, according to the TCA, “by mutual consent”.
The TCA added that each party “may decide on the publication of the decisions and recommendations of the Partnership Council” in their respective official journals or online.
“In other words, anything in the Trade and Cooperation Agreement, including the ‘specified period’ for the application of Article FINPROV.10A, can be amended by agreement between the parties…and any such decision may take place on the basis of secret information (if either the EU or the UK demands that) – and can even be kept unpublished,” said Korff.
“Of course, the process for decision-making in the Partnership Council falls far short of the process for the adoption of an adequacy decision under the GDPR. The EDPB would not have to give an opinion on any such proposed decision, and neither the UK nor the European Parliament would have to be consulted.”
Under the current legislative framework of the EU, the adoption of an adequacy decision requires input from multiple bodies.
This includes an initial proposal from the EC, which is then reviewed by the EDPB and voted on by a committee of member state representatives, before going back to the EC for final approval.
At any time, either the European Parliament or European Council can request that the EC maintain, amend or withdraw the adequacy decision if they decide it exceeds the EC’s implementing powers.
Korff added that while it’s unlikely that any decision to extend the period would be kept secret, as “such a decision would need to be made public in order for companies and public authorities to rely on it”, there is a much stronger chance that “the UK would present the EU with ‘confidential’ information to persuade the latter to extend the period, for instance on the basis that not to do so would harm UK and EU national security”.
Duhs, however, maintained that this would still be the procedure going forward, writing that the Partnership Council “is able to make recommendations to the parties regarding the transfer of personal data in areas covered by the Trade and Cooperation Agreement, or any supplementing agreement”, and that the provision “potentially allows difficulties to be dealt with before they cause disruption”.
She added that while this also has the potential to cause tension between the CJEU assessment of adequacy and the Partnership Council’s approach, it does mitigate the risk of losing adequacy. “This could assist in providing a political solution in the event that the CJEU invalidates the UK adequacy decision,” she said.
Read more about Brexit
- Leaving the European Union will have serious implications for data protection in the UK unless adequate steps are taken, so businesses are advised to have contingency plans in place.
- Software suppliers are concerned they don’t have enough time or information to help businesses be ready on time for the end of the Brexit transition period.
- At the end of this year, the UK will no longer be subject to the EU’s treaties, opening the way for it and the US to finalise a new trade relationship. Could the UK leave EU data protection standards behind?