EU-UK Brexit Deal grants an interim data transfer window

On Christmas Eve, the EU and UK announced that they had reached an agreement on their future relationship, which we expect to come into effect on 1 January 2021 (the “Brexit Deal”). Further details of the deal itself will be discussed by my colleagues on our Beyond Brexit blog, available here. And for the most part, the Brexit Deal does not deal with data protection specific issues.

However, for those data practitioners amongst us, you will know that the main area of concern related to Brexit has long been the issue of data transfers and whether or not the UK will be considered ‘adequate’ for GDPR purposes. In this respect, the Brexit Deal does throw a slightly unexpected lifeline of sorts.

The interim data transfer window

Article FINPROV.10A (Interim provision for transmission of personal data to the United Kingdom) provides for a four month window (which can be extended to six months) during which the UK will still not be treated as a ‘third country’ for GDPR purposes, thereby allowing the free flow of data from the EU and EEA Member States to the UK. So far so good, and many companies may be breathing a sigh of relief that the 31st December ‘cliff edge’ has been avoided. However, the interim data transfer window comes with strings attached.

The draft Brexit Deal makes it clear that the interim data transfer window will only remain open provided that the UK: (i) does not change its data protection laws from those in place on 31 December 2020 (i.e. the UK GDPR); and (ii) does not exercise any of its ‘designated powers’ without agreement from Europe. The ‘designated powers’ referred to are a relatively long shopping list of actions that the UK may not take with respect to international data transfers. For example, it may not publish its own set of ‘standard contractual clauses’ or approve a draft Code of Conduct with respect to international transfers of data. If the UK takes any such action without agreement from Europe, then the transfer window will automatically close (meaning the companies would need to put additional transfer mechanisms in place to legitimise the transfer of data from the EU to the UK). This appears to be a relatively significant restraint on the UK’s autonomy over its own laws in the pending post-Brexit world, although presumably a concession that the UK was willing to make given that it had always intended to effectively transpose the GDPR into UK domestic law.

Implications for adequacy

It is difficult at this stage to understand what the implications of the Brexit Deal could be for the ongoing adequacy assessment being undertaken by the European Commission. The establishment of an interim 4-6 month data transfer window could lead some to be cautiously optimistic that the European Commission simply needs a bit more time to dot its ‘i’s and cross its ‘t’s with respect to adequacy. However, the relatively long shopping list of actions that the UK is prevented from taking in the field of data protection in order to keep the data transfer window open for that 4-6 month period hints at a nervousness within the European Commission that the UK may move away from the principles of the GDPR in the future, something that could prevent an adequacy decision being granted in its favour. As a result, many companies may be left with the distinct impression that the deal is simply delaying the inevitable cliff edge when it comes to data transfers. The implications of not obtaining an adequacy decision are particularly concerning when considering the possible implications of the CJEU judgment in the Schrems II case earlier this year (for further details, please see our Schrems blog posts available here). So whilst the interim data transfer window provided by the Brexit Deal will likely be welcomed, there nonetheless remains an anxious wait to understand the European Commission’s position on the long-term adequacy of the UK in the eyes of data protection law.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

CJEU RULES BULK DATA RETENTION SCHEMES UNLAWFUL: IMPACT ON BREXIT AND SCHREMS II

  • A recent CJEU judgment has found bulk data retention laws in the UK, France and Belgium to be incompatible with EU law.
  • The judgment could have a negative impact on the UK’s efforts to obtain an adequacy decision from the EU Commission before the end of the year to enable to free flow of personal data between the EU and the UK post-Brexit.
  • In light of the recent Schrems II judgment which criticised US authority access to data, even if the UK obtains its adequacy decision, a change to its surveillance laws must surely be required in order to avoid a Schrems-style challenge in the future.

Background

The Court of Justice of the European Union (“CJEU”) recently issued a judgment in favour of various rights advocacy organisations, including Privacy International and La Quadrature du Net in relation to a number of cases that the organisations had brought against bulk data retention schemes run by British, French and Belgian security and intelligence agencies.

In these cases, the rights advocacy organisations raised objections to the intrusiveness of bulk data retention schemes, seeking to rein in the extensive powers exercised by security and intelligence agencies to either:

  1. retain users’ traffic and location data (“Metadata”) received from providers of electronic communication services; or
  2. require providers of electronic communication services to retain Metadata on their behalf,

for the purposes of conducting mass surveillance in the interests of protecting national security.

Finding in favour of the rights advocacy organisations, the CJEU made it clear in its judgment that:

  • national legislation requiring providers of electronic communications services to retain Metadata or to forward that data to security and intelligence agencies falls within the scope of EU law, including when this is done for the purposes of protecting national security;
  • Member States are prohibited from adopting legislation, for national security purposes or otherwise, intended to restrict the scope of rights and obligations provided for in EU law, specifically the obligation to ensure confidentiality of communications and traffic data, unless the legislation is in accordance with the general principles of EU law;
  • the general principles of EU law, in particular the principle of proportionality and the fundamental rights guaranteed by the Charter, apply to bulk data collection and preclude Metadata transmission or retention in a “general and indiscriminate manner”, restricting it to what is “strictly necessary” (i.e. requiring member states to authorise retention or transmission on a case by case basis rather than giving blanket authorisations); and
  • Member States may only authorise indiscriminate and bulk retention of data where they are faced with a serious threat to national security that proves to be genuine and present or foreseeable, subject to review by a court or independent body.

It is important to note that this judgment runs counter to certain elements of the UK’s Investigatory Powers Act as well as the French Decree on specialised intelligence services from 2015, and the Belgian Law on collection and retention of communication data from 2016, all of which may require reform in order to comply with various aspects of the CJEU ruling.

Impact on Brexit

One of the UK Government’s many objectives ahead of 1 January 2021 (i.e. the end of the transition period following the UK’s departure from the EU) is to obtain an adequacy decision from the European Commission to allow the free flow of data between the UK and EU to continue – any failure to achieve adequacy will lead to logistical challenges and increased costs for organisations engaged in EU-UK data transfers. However, the UK Government will only be granted this adequacy decision if it is able to demonstrate that its domestic laws will provide “essentially equivalent” protection to EU data subjects as they are afforded under EU law when their data is transferred to the UK.

This latest judgment potentially represents a major setback for the UK in relation to obtaining an adequacy decision given the CJEU’s finding that UK security and intelligence agencies’ broad powers to intercept and retain digital communications under the UK’s Investigatory Powers Act, together with the UK’s practices regarding access to and bulk retention of data in general, are essentially incompatible with EU law. The UK Government will need to factor the task of reaching a deal in relation to accessing and retaining Metadata for national security purposes into its Brexit timetable.

Impact on Schrems II

The CJEU’s judgment in the Privacy International case follows its Schrems II judgment, which was handed down earlier this year and served to invalidate the EU-US Privacy Shield, a transatlantic data sharing agreement which allowed organisations to transfer personal data between the EU and the US. Part of the reason for the invalidation of this mechanism was on the grounds that US national security laws were too intrusive and that EU individuals did not have sufficient access to legal redress in the US. In light of this, even if the UK obtains an adequacy decision from the European Commission, a change to UK surveillance laws will surely be needed to avoid a Schrems-style challenge in the future.

Schrems II also placed significant emphasis on the due diligence which exporting controllers and supervisory authorities are expected to undertake in relation to the legal environment of third countries to which personal data is to be transferred in reliance on Standard Contractual Clauses, although there has been scant guidance to supplement this aspect of the judgment to date.  By clarifying what it deems to amount to acceptable access and retention of Metadata by security and intelligence agencies in member states, the CJEU’s latest judgment does at least provide an indication of the standard that it expects the national security and surveillance laws of third countries to meet for the purposes of this due diligence.

Duc Tran

Duc Tran
Senior Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2954

Julia Ostendorf

Julia Ostendorf
Trainee Solicitor, London
+44 20 7466 2154

UK Maintains Adequacy Status in Japan Post-Brexit

Summary

  • UK will maintain its adequacy status in Japan even after it withdraws from the European Union.
  • Japan recognises that the UK has relevant legislation in place to maintain its adequacy assessment.

The Personal Information Protection Commission (“PPC”) in Japan has announced that, with respect to the transfer of personal data between Japan and the UK, the UK will maintain its adequacy status even after it withdraws from the European Union (“EU”).

Background

The UK withdrew from the EU on 31 January 2020 and has entered into a transition period until 31 December 2020, during which time it will remain subject to EU rules including the General Data Protection Regulation (“GDPR”).

Currently, European Economic Area member states, which includes those member states within the EU but does not include the UK, are included in Japan’s white list of countries which Japan recognises as having an adequate level of personal data protection. This recognition enables personal data to be transferred out of Japan and into white-listed countries without the requirement for any further safeguards to be in place.

The PPC’s Announcement

The PPC’s announcement on 28 January 2020 confirms that the UK will continue to maintain its adequacy status in Japan now that it has withdrawn from the EU because it has the relevant legislation in place to maintain its adequacy assessment. The PPC also confirms that this will apply to the UK even after the transition period.

This is a welcome indication that countries outside of the EU recognise the ability of the UK’s data protection laws to enforce international data protection requirements and that cross-border data transfer with the UK can continue after the transition period.

This announcement follows the recent adoption by the European Commission of its adequacy decision in favour of Japan on 23 January 2020.

As we noted in our 2020 data protection predictions blog, we expect the discussions around the UK’s adequacy decision to be one of the key developments in the year to come for data protection. Despite the GDPR being enacted into UK law, it remains to be seen whether the EU will recognise the UK as providing adequate levels of data protection following the transition period. In this regard, the European Data Protection Supervisor (“EDPS”), Wojciech Wiewiórowski, noted that the UK is “13th in the row” for an adequacy decision. Even though the EDPS does not participate directly in adequacy decisions, his comments may indicate a general reluctance to let the UK skip the queue in terms of an adequacy decision.

 

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Angela Chow

Angela Chow
Associate, London
+44 20 7466 2853

Brexit, Data, Brexit

As we all continue to try to grapple with the implications of a no-deal Brexit, the last week or two has seen the publication of a few things of interest from a data protection perspective:

The EDPB’s view of data transfers in a no-deal Brexit scenario

On 12 February 2019, the European Data Protection Board (the “EDPB“) published a general information note on data transfers under the GDPR in the event of a no-deal Brexit (available here). In summary, the information note provides that organisations must comply with the GDPR when transferring personal data from the EU to the UK, which will become a “third country” for GDPR purposes (from 00.00 am CET on 30 March 2019). No new or additional safeguards are contemplated by the EDPB which effectively means that organisations must choose between:

  • Standard contractual clauses (which the EDPB acknowledges are “ready to use”);
  • Binding corporate rules;
  • Codes of conduct or certification mechanisms (although none are yet approved/available under the GDPR); or
  • Derogations such as individual explicit consent (although the EDPB emphasises that the derogations must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive).

For further information regarding the potential impact of a no-deal Brexit on data transfers, including an analysis of worked examples, please see our previous blog post available here.

Continue reading

Brexit and its impact on international transfers of personal data

Miriam Everett, Head of the Data Protection and Privacy group at Herbert Smith Freehills, has been working with the LexisNexis Data Protection Intelligence Group to publish a paper on Brexit and international personal data transfers: Practical approaches for the private sector in a time of uncertainty.

The paper explores how potential new international transfer restrictions (between the UK and EEA) may apply in a variety of worked examples and in the event of different Brexit outcomes. It also outlines, with practical examples, the steps that businesses may want to take to continue personal data transfers post-Brexit.

As we approach the exit date, organisations are having to critically assess international data transfers and evaluate how to legitimise such transfers in a post-Brexit world. This paper is the first of its kind (as far as the group is aware) to give detailed worked examples of how available compliance solutions could be applied to both GDPR and UK GDPR regulation.

Click here to read the full paper.

Continue reading

UK Government note clarifies “no deal” and data protection

The UK Government has published a “no deal” note to clarify how data protection law will work in the event that the UK leaves the EU without a deal. The note confirms that separate draft regulations and more detailed guidance will be published in the next few weeks but, in the meantime, it clarifies at a high level a number of key issues for organisations both within the UK and outside but doing business with the UK.

Continue reading