With the interim data transfer window under the Brexit Trade Agreement expiring yesterday, on 28 June 2021 the European Commission adopted two adequacy decisions confirming the UK as an adequate jurisdiction for GDPR and Law Enforcement Directive purposes – just in time to allow the uninterrupted free flow of personal data from the European Union to the UK. Continue reading
Seven months after the European Commission published its draft new Standard Contractual Clauses for data transfers between EU and non-EU countries (the “Draft SCCs“) for consultation (see our blog post here (the “Draft SCCs Blog“)), they have now published a finalised set of Standard Contractual Clauses (“Final SCCs“) with little fanfare (available here).
It should also be noted that alongside the Final SCCs, the European Commission have published a finalised set of non-mandatory Article 28 clauses for use between controllers and processors in the EU (see our blog post here on the draft version) in relation to which we will be publishing a follow-up shortly.
It will be mandatory, however, for organisations to implement and comply with the Final SCCs and in this blog post we consider the movement from the Draft SCCs to the Final SCCs (as well as the key points raised by them), the practical impact that this will have on organisations and the UK’s position.
- The Draft SCCs and the Final SCCs – In comparison to the Draft SCCs, the Final SCCs provide some cause for hope, in particular an extended grace period of 18 months, a 3 month window during which organisations may continue to put in place the current SCCs to address international transfers of personal data, and the softening of some provisions such as the approach to challenging public authority access. However, other aspects of the Final SCCs may cause increased friction, notably a more nebulous approach to the warranty regarding impact assessments.
- Practical Considerations from the Final SCCs – The Final SCCs serve to confirm that a repapering exercise is looming for most organisations and that a re-evaluation of current agreements, training, and contracting support will be required so as to have in place mechanisms to implement agreements with appropriate iterations of the Final SCCs on an ongoing basis. Beyond this, more granular considerations including the interplay of the Final SCCs with negotiated clauses will require some more careful, context-specific scrutiny.
- The UK’s Way Forward – The current SCCs will continue to apply for transfers of data from the UK to third countries while the ICO prepares a set of its own standard contractual clauses, independent of the Final SCCs. The extent to which these deviate will inform how much more complex putting in place and maintaining the necessary contractual provisions will be for organisations, particularly those with multifaceted data flows between the UK, EU and third countries.
Please refer to the Draft SCCs Blog for more detailed background, but by way of summary, the GDPR prohibits the transfer of personal data from the EEA to a third country or international organisation outside of the EEA unless an available condition under the GDPR is satisfied.
One of these conditions is the use of Standard Contractual Clauses (“SCCs“) which are effectively a contract ‘pre-approved’ by the European Commission to be entered into between the data exporter and the data importer and which impose certain data protection obligations on both parties. However, the current SCCs had some issues including the fact that they were not updated when the GDPR came into force (referencing the old EU Data Protection Directive rather than GDPR) and there were only two sets of SCCs (covering transfers from one controller to another controller (“C2C“) or from a controller to a processor (“C2P“) which meant that they did not cover situations such as processor to processor (“P2P“) or processor to controller (“P2C“) transfers).
The Draft SCCs looked to address these issues, as well as the impact of the Schrems II decision (see our blog post on the Schrems II case here). The Schrems II judgment made it clear that where SCCs are being used, a level of due diligence needs to take place before any transfer can be made. This is to ensure that personal data originating in the EEA always carries with it protections which are essentially equivalent to those in the EEA. In parallel, to help data exporters in that assessment, on 10 November 2020 the EDPB issued draft guidance on how to carry out the due diligence exercise in practice (see our blog post on the draft guidance here). We are imminently expecting the finalised EDPB guidance on these supplementary measures, potentially as early as next week if the authorities are able to agree them during this month’s plenary meeting on 15 June 2021.
Following a period of consultation and some delay to finalisation, the European Commission published the Final SCCs in final working documents on 4th June with publication in the Official Journal expected swiftly.
The Draft SCCs and the Final SCCs
The Final SCCs broadly adopt the same approach as the Draft SCCs, although there is some deviation both to soften provisions and provide more flexibility to organisations than originally envisioned by the Draft SCCs, although in some instances the approach has been toughened. We detail the material deviations and summarise the changes from the Draft SCCs below.
- Extended Grace Period and Limited Grandfathering Period
The Draft SCCs contemplated a one year grace period within which organisations had to ensure compliance and the Final SCCs have both extended this period and made it more nuanced by introducing a limited grandfathering period during which organisations may continue to implement the current SCCs. From the date of publication in the Official Journal (plus 20 days), organisations will now:
- have 3 months to continue to put in place the current SCCs; and
- have 15 months from the end of the 3 month period within which they must implement the Final SCCs and can continue to rely on the current SCCs (provided there is no change to the processing activities during this time and any necessary supplemental measures are in place).
While the extended grace period is positive in the context of the EU-US Privacy Shield being immediately invalidated as a result of the Schrems II decision and thereby requiring instant contractual and organisational remediation, the result of the Final SCCs is that organisations will still be required to re-paper their existing contracts in the medium term (by likely December 2022) and put in place mechanisms to begin incorporating the Final SCCs into new agreements in the short term (likely starting from June 2021 but by no later than September 2021) (see ‘practical considerations’ section below).
- Modular Structure and Scope
The Final SCCs have retained the modular format allowing for adaptation to different factual scenarios covering both C2C and C2P transfers already provided for under the current SCCs. They now also cater for P2P and P2C situations which were not provided for and enable other parties to ‘dock’ into the Final SCCs (of particular importance where sub-processors are introduced to a pre-existing arrangement).
Additionally the set of processor clauses required by Article 28 GDPR remains incorporated into the Final SCCs, continuing not as a separate module and explicitly prevailing over any conflicting provisions.
While elements of the modules have been somewhat rearranged, materially they provide the same flexibility, but also issues, as discussed in the ‘structure’ and ‘scope’ sections of the Draft SCCs Blog.
The requirement for data importers who are controllers to notify a competent EU supervisory authority (discussed in the ‘extraterritoriality’ section of the Draft SCCs Blog) remains but rather than the threshold being a ‘significant adverse effect’, this has been lowered to ‘a risk to the rights and freedoms of natural persons’ (with an attendant notification obligation to data subjects where there is a ‘high risk’). This aligns with the thresholds in the GDPR, but arguably makes notification a more likely requirement for importers.
Additionally, the approach of the Final SCCs imposes on data importers requirements that will be familiar to those already subject to the GDPR, such as obligations of transparency, security, limits to the purpose of processing, complying with data subject rights amongst others. In binding importers to obligations similar in nature to the requirements of the GDPR, the Final SCCs can be seen as further step in extending the reach of GDPR.
Like the Draft SCCs, the Final SCCs to include provisions which address the challenges of the Schrems II case (discussed in the ‘Schrems’ section of the Draft SCCs Blog) with only minor changes made to the Final SCCs in this regard.
Perhaps most notably, however, the warranty that the parties are required to provide that they have no reason to believe that the ‘laws’ of the importer country prevent the importer from fulfilling its obligations under the Final SCCs, has been expanded to make reference to ‘laws and practices’. The Final SCCs contain a footnote which provides some examples of the elements which may be considered as part of this impact assessment, but this more nebulous phrasing further emphasises the difficultly organisations are likely to have in being able to confidently undertake and document such an assessment and warrant such a claim.
One position that has been softened from the Draft SCCs is that the requirement on importers to exhaust all available legal remedies when challenging a public authority access request has been amended to grant the importer a degree of discretion in circumstances when it believes that there are ‘reasonable grounds to consider that the request is unlawful…’ and so challenge it. This caveat (underlining added) gives importers some leeway in approaching such requests.
The more detailed liability provisions set out in the Draft SCCs remain in the Final SCCs, as does the uncapped liability position. Given the precedence taken by the Final SCCs over any other terms in an agreement to which the Final SCCs are attached, it would have been helpful if the European Commission had provided some clarity in relation to these points. Unfortunately, however, it is still unclear as to how both the detailed liability provisions and uncapped liability position set out in the Final SCCs are supposed to align with any pre-existing liability provisions set out in an agreement to which the Final SCCs are attached, especially if such pre-existing liability provisions include a cap on data protection liability, as they often do.
Absent further guidance, It would appear that attempts to limit or exclude liability would conflict with, and then be subordinate to, the approach taken by the Final SCCs.
Practical Considerations from the Final SCCs
Despite the positive and negative changes brought about by the Final SCCs, they do at least provide some clarity for organisations regarding what next steps they should take and what thinking should be done:
- In-Flight Projects
While there is a limited 3 month period within which organisations can continue to put the current SCCs in place, they will only be able to be rely on them for a further 15 months from the end of that 3 month window. As such, where the contractual arrangements for an in-flight project are likely to last beyond December 2022, it may make most sense for organisations to consider and implement the Final SCCs during this window.
For contracts with a duration likely to end before this window ends, or which will come up for renewal, then in the interests of expediency it would perhaps be preferable to implement the current SCCs at this stage and begin implementing and, where necessary, repapering the Final SCCs over the subsequent 15 months whereupon further guidance is likely to have been published and the market is more likely to have adopted a more settled approach.
- Repapering and Expertise
As noted in the ‘repapering (again)’ section of the Draft SCCs Blog, the Final SCCs confirm that a further, more complex repapering exercise is required.
As well as requiring organisations to analyse the perhaps thousands of contractual arrangements in place to determine the data flows and relationships between parties to replace them with the appropriate combination of Final SCC modules, organisations will also need to ensure that they have in place the appropriate expertise, support, and training to be able to begin putting in place the appropriate combinations by the end of the 3 month grandfathering period.
The earlier organisations begin to engage with the approach taken by the Final SCCs and put in place mechanisms sufficient to prepare and implement combinations of modular Final SCCs, the easier the transition will be.
- Final SCCs and Negotiated Clauses
As well as the repapering exercise (which will not be a ‘rip and replace’ exercise of the current SCCs to the Final SCCs), at a more granular level organisations will also need to consider the interplay between the Final SCCs and negotiated operative clauses in the main body of agreements incorporating the Final SCCs. For example:
- Operative provisions which refer out to the Final SCCs will need to be appropriately tailored to ensure that there is no conflict in multifaceted relationships (e.g. where various parties may be acting as controllers, processors, and sub-processors in relation to different data as part of the same arrangement) to enable the operative provisions and relevant modules to align.
- The Final SCCs contain embedded Article 28 provisions and so, where negotiated and bespoke operative Article 28 provisions are in place, ensuring alignment between them so as not to produce a conflict resulting in the inapplicability of tailored positions will be necessary to preserve commercial certainty.
- Contradictions may also arise for which straightforward resolution may not be possible, such as the apparent conflict between uncapped liability under the Final SCCs and commonly capped negotiated positions, or where a tailored Article 28 provision cannot be aligned with those in the Final SCCs.
- The imposition of obligations on importers will also mean that they may seek more protection from operative contractual clauses, for example the importer’s transparency obligation will likely necessitate the inclusion of operative provisions to detail the responsibility between the parties of discharging such obligations (i.e. certainty of the provision of information).
- The European Commission’s decision to address P2P transfers in the Final SCCs will finally allow parties to simplify the operative clauses that controllers enter into with processors that engage subprocessors based outside of the EU. The absence of any P2P mechanism in the current SCCs has long required parties to shoehorn in the C2P clauses to address transfers between processors and subprocessors, often to unsatisfactory effect given that there is usually an absence of direct contractual nexus between controller and subprocessor. The new P2P module should serve to simplify and speed up the drafting and negotiation of these operative provisions going forward.
Where contracts are remediated, or standard template agreements will be updated, a careful approach will need to be taken to ensure regulatory compliance while also achieving an appropriate balance of commercial risk, depending on the particular factual matrix.
- The Data Importer’s Position
Where a data importer contracts with an exporter on the basis of the Final SCCs, the fact that the Final SCCs impose a range of substantive obligations on importers (see ‘extraterritoriality’ section above) will require importers to take considerable care to determine whether they do in fact have the technical, organisational, and contractual means to satisfy the various obligations placed upon them.
The potential risks of litigation and cost of simply signing and doing what has always been done have never been higher.
The UK’s Way Forward
The ICO has stated that it has been drafting its own standard contractual clauses during the course of 2021 (with a period of consultation also expected) (the “UK SCCs“), in a process distinct from the Final SCCs. It will be interesting to see the extent to which, if at all, the UK SCCs leverage the positions in the current SCCs, Draft SCCs, and Final SCCs, or whether a completely novel route is taken.
While some mood music suggests that the UK will pursue a more relaxed, business-minded approach to data (and so the UK SCCs can perhaps be expected to impose less stringent requirements on organisations), such an approach will need to be carefully balanced against the UK’s position on data vis-à-vis the EU, in particular to ensure the UK SCCs are seen as sufficiently protective if the UK is to benefit from an adequacy decision from the EU.
In addition, the ICO has also previously emphasised that international data transfers would need to account for the impact of the Schrems II decision and in their response to the UK’s National Data Strategy highlighted the importance of building on the rights, principals, and protections of data which are currently in place. Therefore a novel approach or substantial deviation from the EU’s approach (be that the current SCCs or Final SCCs) may be unlikely.
From a practical perspective, the Final SCCs are not currently regarded as an “adequate safeguard” for UK GDPR purposes for transfers from the UK to third countries and will therefore not be officially compliant from a UK GDPR perspective at the moment. Absent the UK SCCs and / or approval of the Final SCCs, the current SCCs may therefore continue to be relevant.
Furthermore, for organisations with data flows between the EU, UK and third countries, the implementation of a further set of standard contractual clauses which may deviate from or potentially conflict with the Final SCCs would be a headache that they could do without, with further repapering and more complex contractual arrangements to introduce and align the Final SCCs with UK SCCs potentially required. That is unless the ICO approves the Final SCCs (in addition to any UK SCCs), giving organisations the option of which set of clauses to select based on their respective data flows and contracting approach to international data transfers to third countries.
The UK’s approach will therefore be important to monitor over the coming months and until such time as UK SCCs are brought into force, the current SCCs continue to remain relevant.
The publication of the Final SCCs provides organisations with a long-awaited update to the current SCCs and, for better or worse, provides clarity in relation to the steps and considerations that organisations will need to take if they are to continue making international transfers of personal data, as well as time (by way of the grace period and limited grandfathering period) to take these steps.
Most organisations will have been through this process before and, while it may be slightly more complex in execution, the principles of previous repapering exercises, as well as more developed processes regarding records of processing, data audits, and data mapping in the years since the GDPR came into force, should provide organisations with many of the tools needed to adopt and implement the Final SCCs (although for importers that are not used to the GDPR, the increased GDPR rigour of the Final SCCs may make this more challenging).
The most important step for organisations will be to understand the new modular approach to the Final SCCs, the most material departure from the current SCCs, as organisations will need to start the process of implementing the Final SCCs in 3 months’ time. Organisations that have template agreements and processes in place which include data protection provisions incorporating the current SCCs will also need to update these template agreements and processes and provide appropriate training to those tasked with maintaining these arrangements. In the longer term, repapering will be flavour of the month once more.
As most in the data community are aware, the EU-UK Trade and Cooperation Agreement (the “Brexit Deal”) was agreed on Christmas Eve and provides for an interim period (up to a maximum of six months ending on 30 June 2021) whereby data transfers from Europe to the UK will not be treated as transfers to a third country subject to Chapter V of the GDPR following the end of the transition period on 1 January 2021, provided the UK complies with certain conditions during the interim period (discussed in our blog here).
Following this, both the European Data Protection Board (“EDPB”) and the UK’s supervisory authority (the Information Commissioner’s Office (“ICO”)) have issued either updated or new responses which provide some more clarity on areas of focus and what to expect over the coming year.
The EDPB’s Response
Prior to the Brexit Deal being agreed, in mid-December the EDPB adopted its ‘Statement on the end of the Brexit transition period’ (here) (the “Statement”) and an ‘Information note on data transfers under the GDPR to the United Kingdom after the transition period’ (here) (the “Information Note”) which highlighted some key considerations of the EDPB.
Following the agreement and implementation of the Brexit Deal from the beginning of 2021, the EDPB has now updated the Statement and Information Note.
- The interim data transfer window
In line with Article FINPROV.10A of the Brexit Deal, the update to the Statement and Information Note emphasises that data transfers to the UK can continue to take place without the requirement of a transfer tool under Article 46, or relying on the derogations list under Article 49, until 30 June 2021 (at the latest) provided that the UK’s current data protection regime stays in place.
- Preparing for an adequacy decision (or lack of one)
The EDPB provides no further view on the adequacy of the UK’s data protection regime other than that the timeline for a favourable decision has now been pushed to the end of June. If a favourable adequacy decision is not taken by 30 June 2021, the EDPB emphasises in the Statement and Information Note that transfers between entities regulated by the GDPR to the UK will become subject to Chapter V of the GDPR. This will mean that transfers to the UK will require adequate safeguards such as standard data protection clauses, binding corporate rules, intra-group agreements, codes of conduct etc. to be put in place along with ensuring enforceable data subject rights and effective legal remedies for data subjects as required by Article 46.
The Information Note further reminds controllers and processors that, absent an adequacy decision, from the end of the interim period compliance with other GDPR obligations will come into sharper focus, including:
- updating privacy notices and records of processing to account for data transfers to the UK;
- taking caution if intending to rely on grounds under Article 49 in the absence of safeguards under Article 46, as such grounds are to be interpreted restrictively, only being fit for occasional and non-repetitive transfers; and
- considering whether any supplementary tools may need to be put in place, a relatively complex and time-consuming consideration discussed further here (albeit the fact that the UK’s data law is the application of the GDPR then such consideration should theoretically be straightforward).
- One-Stop-Shop mechanism
While not affected by the EDPB’s updates, it is worth noting that the Statement and Information Note also clarify the applicability of the One-Stop-Shop (“OSS”) mechanism envisioned by the GDPR within the UK.
The OSS mechanism provides that the supervisory authority in the jurisdiction of an entity’s main establishment will act as the lead supervisory authority and carry out compliance and regulatory functions on behalf of supervisory authorities in each EU jurisdiction in relation to that entity.
From 1 January 2021, the OSS will not apply in the UK so that the ICO will not be able to act as a lead supervisory authority (i.e. the Brexit Deal did not extend this mechanism). The EDPB notes that it has engaged with supervisory authorities and the ICO to ensure a smooth transition of existing cross-border cases.
The Statement and Information Note goes on to remind controllers and processors that they remain free to establish a main establishment in an EU jurisdiction under Article 4(16) to utilise the OSS mechanism (although the feasibility of this for many entities may well be impracticable). If this is not in place, entities will need to designate a representative under Article 27 as long as their activities are subject to the GDPR under Article 3(2).
The ICO’s Response
In a blog posted on 22nd January (here), the ICO’s Information Commission Elizabeth Denham responded to the Brexit Deal (the “ICO Response”) by welcoming the long-term commitments made by the EU and UK, most notably, to promoting high international standards of data protection, developing a regulatory relationship, and co-operating on enforcement activity.
The ICO Response considered the interim period allowing data transfers between Europe and the UK as the “best possible outcome for UK organisations” in light of the risks and impacts to digital trade if this had not been put in place. However, given this interim period will end in either four or six months under the Brexit Deal, the importance of a positive adequacy decision for UK data flows is clear in the ICO Response, emphasised by the reference to the EU’s commitment to considering the UK’s adequacy position “promptly” in a declaration accompanying the Brexit Deal. Although the ICO Response also sounds the warning that adequacy is not guaranteed and so organisations should be putting in place appropriate safeguards during this window.
Finally, as well as some specific commentary regarding data sharing in the context of law enforcement and noting that the UK must also notify the EU-UK Partnership Council, as far as reasonably possible, of any new international transfers of personal data between public authorities for international transfers of personal data, the ICO Response also highlights that the process for any decisions in a range of areas (including UK adequacy decisions, approving international transfer mechanisms, or standard contractual clauses) must be put before the EU-UK Partnership Council. Given this requirement, it may be that material departure from the current UK data protection position is unlikely in the imminent future.
On Christmas Eve, the EU and UK announced that they had reached an agreement on their future relationship, which we expect to come into effect on 1 January 2021 (the “Brexit Deal”). Further details of the deal itself will be discussed by my colleagues on our Beyond Brexit blog, available here. And for the most part, the Brexit Deal does not deal with data protection specific issues.
However, for those data practitioners amongst us, you will know that the main area of concern related to Brexit has long been the issue of data transfers and whether or not the UK will be considered ‘adequate’ for GDPR purposes. In this respect, the Brexit Deal does throw a slightly unexpected lifeline of sorts.
The interim data transfer window
Article FINPROV.10A (Interim provision for transmission of personal data to the United Kingdom) provides for a four month window (which can be extended to six months) during which the UK will still not be treated as a ‘third country’ for GDPR purposes, thereby allowing the free flow of data from the EU and EEA Member States to the UK. So far so good, and many companies may be breathing a sigh of relief that the 31st December ‘cliff edge’ has been avoided. However, the interim data transfer window comes with strings attached.
The draft Brexit Deal makes it clear that the interim data transfer window will only remain open provided that the UK: (i) does not change its data protection laws from those in place on 31 December 2020 (i.e. the UK GDPR); and (ii) does not exercise any of its ‘designated powers’ without agreement from Europe. The ‘designated powers’ referred to are a relatively long shopping list of actions that the UK may not take with respect to international data transfers. For example, it may not publish its own set of ‘standard contractual clauses’ or approve a draft Code of Conduct with respect to international transfers of data. If the UK takes any such action without agreement from Europe, then the transfer window will automatically close (meaning the companies would need to put additional transfer mechanisms in place to legitimise the transfer of data from the EU to the UK). This appears to be a relatively significant restraint on the UK’s autonomy over its own laws in the pending post-Brexit world, although presumably a concession that the UK was willing to make given that it had always intended to effectively transpose the GDPR into UK domestic law.
Implications for adequacy
It is difficult at this stage to understand what the implications of the Brexit Deal could be for the ongoing adequacy assessment being undertaken by the European Commission. The establishment of an interim 4-6 month data transfer window could lead some to be cautiously optimistic that the European Commission simply needs a bit more time to dot its ‘i’s and cross its ‘t’s with respect to adequacy. However, the relatively long shopping list of actions that the UK is prevented from taking in the field of data protection in order to keep the data transfer window open for that 4-6 month period hints at a nervousness within the European Commission that the UK may move away from the principles of the GDPR in the future, something that could prevent an adequacy decision being granted in its favour. As a result, many companies may be left with the distinct impression that the deal is simply delaying the inevitable cliff edge when it comes to data transfers. The implications of not obtaining an adequacy decision are particularly concerning when considering the possible implications of the CJEU judgment in the Schrems II case earlier this year (for further details, please see our Schrems blog posts available here). So whilst the interim data transfer window provided by the Brexit Deal will likely be welcomed, there nonetheless remains an anxious wait to understand the European Commission’s position on the long-term adequacy of the UK in the eyes of data protection law.
- A recent CJEU judgment has found bulk data retention laws in the UK, France and Belgium to be incompatible with EU law.
- The judgment could have a negative impact on the UK’s efforts to obtain an adequacy decision from the EU Commission before the end of the year to enable to free flow of personal data between the EU and the UK post-Brexit.
- In light of the recent Schrems II judgment which criticised US authority access to data, even if the UK obtains its adequacy decision, a change to its surveillance laws must surely be required in order to avoid a Schrems-style challenge in the future.
The Court of Justice of the European Union (“CJEU”) recently issued a judgment in favour of various rights advocacy organisations, including Privacy International and La Quadrature du Net in relation to a number of cases that the organisations had brought against bulk data retention schemes run by British, French and Belgian security and intelligence agencies.
In these cases, the rights advocacy organisations raised objections to the intrusiveness of bulk data retention schemes, seeking to rein in the extensive powers exercised by security and intelligence agencies to either:
- retain users’ traffic and location data (“Metadata”) received from providers of electronic communication services; or
- require providers of electronic communication services to retain Metadata on their behalf,
for the purposes of conducting mass surveillance in the interests of protecting national security.
Finding in favour of the rights advocacy organisations, the CJEU made it clear in its judgment that:
- national legislation requiring providers of electronic communications services to retain Metadata or to forward that data to security and intelligence agencies falls within the scope of EU law, including when this is done for the purposes of protecting national security;
- Member States are prohibited from adopting legislation, for national security purposes or otherwise, intended to restrict the scope of rights and obligations provided for in EU law, specifically the obligation to ensure confidentiality of communications and traffic data, unless the legislation is in accordance with the general principles of EU law;
- the general principles of EU law, in particular the principle of proportionality and the fundamental rights guaranteed by the Charter, apply to bulk data collection and preclude Metadata transmission or retention in a “general and indiscriminate manner”, restricting it to what is “strictly necessary” (i.e. requiring member states to authorise retention or transmission on a case by case basis rather than giving blanket authorisations); and
- Member States may only authorise indiscriminate and bulk retention of data where they are faced with a serious threat to national security that proves to be genuine and present or foreseeable, subject to review by a court or independent body.
It is important to note that this judgment runs counter to certain elements of the UK’s Investigatory Powers Act as well as the French Decree on specialised intelligence services from 2015, and the Belgian Law on collection and retention of communication data from 2016, all of which may require reform in order to comply with various aspects of the CJEU ruling.
Impact on Brexit
One of the UK Government’s many objectives ahead of 1 January 2021 (i.e. the end of the transition period following the UK’s departure from the EU) is to obtain an adequacy decision from the European Commission to allow the free flow of data between the UK and EU to continue – any failure to achieve adequacy will lead to logistical challenges and increased costs for organisations engaged in EU-UK data transfers. However, the UK Government will only be granted this adequacy decision if it is able to demonstrate that its domestic laws will provide “essentially equivalent” protection to EU data subjects as they are afforded under EU law when their data is transferred to the UK.
This latest judgment potentially represents a major setback for the UK in relation to obtaining an adequacy decision given the CJEU’s finding that UK security and intelligence agencies’ broad powers to intercept and retain digital communications under the UK’s Investigatory Powers Act, together with the UK’s practices regarding access to and bulk retention of data in general, are essentially incompatible with EU law. The UK Government will need to factor the task of reaching a deal in relation to accessing and retaining Metadata for national security purposes into its Brexit timetable.
Impact on Schrems II
The CJEU’s judgment in the Privacy International case follows its Schrems II judgment, which was handed down earlier this year and served to invalidate the EU-US Privacy Shield, a transatlantic data sharing agreement which allowed organisations to transfer personal data between the EU and the US. Part of the reason for the invalidation of this mechanism was on the grounds that US national security laws were too intrusive and that EU individuals did not have sufficient access to legal redress in the US. In light of this, even if the UK obtains an adequacy decision from the European Commission, a change to UK surveillance laws will surely be needed to avoid a Schrems-style challenge in the future.
Schrems II also placed significant emphasis on the due diligence which exporting controllers and supervisory authorities are expected to undertake in relation to the legal environment of third countries to which personal data is to be transferred in reliance on Standard Contractual Clauses, although there has been scant guidance to supplement this aspect of the judgment to date. By clarifying what it deems to amount to acceptable access and retention of Metadata by security and intelligence agencies in member states, the CJEU’s latest judgment does at least provide an indication of the standard that it expects the national security and surveillance laws of third countries to meet for the purposes of this due diligence.
- UK will maintain its adequacy status in Japan even after it withdraws from the European Union.
- Japan recognises that the UK has relevant legislation in place to maintain its adequacy assessment.
The Personal Information Protection Commission (“PPC”) in Japan has announced that, with respect to the transfer of personal data between Japan and the UK, the UK will maintain its adequacy status even after it withdraws from the European Union (“EU”).
The UK withdrew from the EU on 31 January 2020 and has entered into a transition period until 31 December 2020, during which time it will remain subject to EU rules including the General Data Protection Regulation (“GDPR”).
Currently, European Economic Area member states, which includes those member states within the EU but does not include the UK, are included in Japan’s white list of countries which Japan recognises as having an adequate level of personal data protection. This recognition enables personal data to be transferred out of Japan and into white-listed countries without the requirement for any further safeguards to be in place.
The PPC’s Announcement
The PPC’s announcement on 28 January 2020 confirms that the UK will continue to maintain its adequacy status in Japan now that it has withdrawn from the EU because it has the relevant legislation in place to maintain its adequacy assessment. The PPC also confirms that this will apply to the UK even after the transition period.
This is a welcome indication that countries outside of the EU recognise the ability of the UK’s data protection laws to enforce international data protection requirements and that cross-border data transfer with the UK can continue after the transition period.
This announcement follows the recent adoption by the European Commission of its adequacy decision in favour of Japan on 23 January 2020.
As we noted in our 2020 data protection predictions blog, we expect the discussions around the UK’s adequacy decision to be one of the key developments in the year to come for data protection. Despite the GDPR being enacted into UK law, it remains to be seen whether the EU will recognise the UK as providing adequate levels of data protection following the transition period. In this regard, the European Data Protection Supervisor (“EDPS”), Wojciech Wiewiórowski, noted that the UK is “13th in the row” for an adequacy decision. Even though the EDPS does not participate directly in adequacy decisions, his comments may indicate a general reluctance to let the UK skip the queue in terms of an adequacy decision.
As we all continue to try to grapple with the implications of a no-deal Brexit, the last week or two has seen the publication of a few things of interest from a data protection perspective:
The EDPB’s view of data transfers in a no-deal Brexit scenario
On 12 February 2019, the European Data Protection Board (the “EDPB“) published a general information note on data transfers under the GDPR in the event of a no-deal Brexit (available here). In summary, the information note provides that organisations must comply with the GDPR when transferring personal data from the EU to the UK, which will become a “third country” for GDPR purposes (from 00.00 am CET on 30 March 2019). No new or additional safeguards are contemplated by the EDPB which effectively means that organisations must choose between:
- Standard contractual clauses (which the EDPB acknowledges are “ready to use”);
- Binding corporate rules;
- Codes of conduct or certification mechanisms (although none are yet approved/available under the GDPR); or
- Derogations such as individual explicit consent (although the EDPB emphasises that the derogations must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive).
For further information regarding the potential impact of a no-deal Brexit on data transfers, including an analysis of worked examples, please see our previous blog post available here.
Miriam Everett, Head of the Data Protection and Privacy group at Herbert Smith Freehills, has been working with the LexisNexis Data Protection Intelligence Group to publish a paper on Brexit and international personal data transfers: Practical approaches for the private sector in a time of uncertainty.
The paper explores how potential new international transfer restrictions (between the UK and EEA) may apply in a variety of worked examples and in the event of different Brexit outcomes. It also outlines, with practical examples, the steps that businesses may want to take to continue personal data transfers post-Brexit.
As we approach the exit date, organisations are having to critically assess international data transfers and evaluate how to legitimise such transfers in a post-Brexit world. This paper is the first of its kind (as far as the group is aware) to give detailed worked examples of how available compliance solutions could be applied to both GDPR and UK GDPR regulation.
Click here to read the full paper.
The UK Government has published a “no deal” note to clarify how data protection law will work in the event that the UK leaves the EU without a deal. The note confirms that separate draft regulations and more detailed guidance will be published in the next few weeks but, in the meantime, it clarifies at a high level a number of key issues for organisations both within the UK and outside but doing business with the UK.
The UK Digital Minister Matt Hancock has confirmed in a written statement that the General Data Protection Regulation (the “GDPR“) will come into force in the UK in May 2018 despite the UK’s move towards Brexit. Continue reading