EU-UK Brexit Deal grants an interim data transfer window

On Christmas Eve, the EU and UK announced that they had reached an agreement on their future relationship, which we expect to come into effect on 1 January 2021 (the “Brexit Deal”). Further details of the deal itself will be discussed by my colleagues on our Beyond Brexit blog, available here. And for the most part, the Brexit Deal does not deal with data protection specific issues.

However, for those data practitioners amongst us, you will know that the main area of concern related to Brexit has long been the issue of data transfers and whether or not the UK will be considered ‘adequate’ for GDPR purposes. In this respect, the Brexit Deal does throw a slightly unexpected lifeline of sorts.

The interim data transfer window

Article FINPROV.10A (Interim provision for transmission of personal data to the United Kingdom) provides for a four month window (which can be extended to six months) during which the UK will still not be treated as a ‘third country’ for GDPR purposes, thereby allowing the free flow of data from the EU and EEA Member States to the UK. So far so good, and many companies may be breathing a sigh of relief that the 31st December ‘cliff edge’ has been avoided. However, the interim data transfer window comes with strings attached.

The draft Brexit Deal makes it clear that the interim data transfer window will only remain open provided that the UK: (i) does not change its data protection laws from those in place on 31 December 2020 (i.e. the UK GDPR); and (ii) does not exercise any of its ‘designated powers’ without agreement from Europe. The ‘designated powers’ referred to are a relatively long shopping list of actions that the UK may not take with respect to international data transfers. For example, it may not publish its own set of ‘standard contractual clauses’ or approve a draft Code of Conduct with respect to international transfers of data. If the UK takes any such action without agreement from Europe, then the transfer window will automatically close (meaning the companies would need to put additional transfer mechanisms in place to legitimise the transfer of data from the EU to the UK). This appears to be a relatively significant restraint on the UK’s autonomy over its own laws in the pending post-Brexit world, although presumably a concession that the UK was willing to make given that it had always intended to effectively transpose the GDPR into UK domestic law.

Implications for adequacy

It is difficult at this stage to understand what the implications of the Brexit Deal could be for the ongoing adequacy assessment being undertaken by the European Commission. The establishment of an interim 4-6 month data transfer window could lead some to be cautiously optimistic that the European Commission simply needs a bit more time to dot its ‘i’s and cross its ‘t’s with respect to adequacy. However, the relatively long shopping list of actions that the UK is prevented from taking in the field of data protection in order to keep the data transfer window open for that 4-6 month period hints at a nervousness within the European Commission that the UK may move away from the principles of the GDPR in the future, something that could prevent an adequacy decision being granted in its favour. As a result, many companies may be left with the distinct impression that the deal is simply delaying the inevitable cliff edge when it comes to data transfers. The implications of not obtaining an adequacy decision are particularly concerning when considering the possible implications of the CJEU judgment in the Schrems II case earlier this year (for further details, please see our Schrems blog posts available here). So whilst the interim data transfer window provided by the Brexit Deal will likely be welcomed, there nonetheless remains an anxious wait to understand the European Commission’s position on the long-term adequacy of the UK in the eyes of data protection law.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

CJEU RULES BULK DATA RETENTION SCHEMES UNLAWFUL: IMPACT ON BREXIT AND SCHREMS II

  • A recent CJEU judgment has found bulk data retention laws in the UK, France and Belgium to be incompatible with EU law.
  • The judgment could have a negative impact on the UK’s efforts to obtain an adequacy decision from the EU Commission before the end of the year to enable to free flow of personal data between the EU and the UK post-Brexit.
  • In light of the recent Schrems II judgment which criticised US authority access to data, even if the UK obtains its adequacy decision, a change to its surveillance laws must surely be required in order to avoid a Schrems-style challenge in the future.

Background

The Court of Justice of the European Union (“CJEU”) recently issued a judgment in favour of various rights advocacy organisations, including Privacy International and La Quadrature du Net in relation to a number of cases that the organisations had brought against bulk data retention schemes run by British, French and Belgian security and intelligence agencies.

In these cases, the rights advocacy organisations raised objections to the intrusiveness of bulk data retention schemes, seeking to rein in the extensive powers exercised by security and intelligence agencies to either:

  1. retain users’ traffic and location data (“Metadata”) received from providers of electronic communication services; or
  2. require providers of electronic communication services to retain Metadata on their behalf,

for the purposes of conducting mass surveillance in the interests of protecting national security.

Finding in favour of the rights advocacy organisations, the CJEU made it clear in its judgment that:

  • national legislation requiring providers of electronic communications services to retain Metadata or to forward that data to security and intelligence agencies falls within the scope of EU law, including when this is done for the purposes of protecting national security;
  • Member States are prohibited from adopting legislation, for national security purposes or otherwise, intended to restrict the scope of rights and obligations provided for in EU law, specifically the obligation to ensure confidentiality of communications and traffic data, unless the legislation is in accordance with the general principles of EU law;
  • the general principles of EU law, in particular the principle of proportionality and the fundamental rights guaranteed by the Charter, apply to bulk data collection and preclude Metadata transmission or retention in a “general and indiscriminate manner”, restricting it to what is “strictly necessary” (i.e. requiring member states to authorise retention or transmission on a case by case basis rather than giving blanket authorisations); and
  • Member States may only authorise indiscriminate and bulk retention of data where they are faced with a serious threat to national security that proves to be genuine and present or foreseeable, subject to review by a court or independent body.

It is important to note that this judgment runs counter to certain elements of the UK’s Investigatory Powers Act as well as the French Decree on specialised intelligence services from 2015, and the Belgian Law on collection and retention of communication data from 2016, all of which may require reform in order to comply with various aspects of the CJEU ruling.

Impact on Brexit

One of the UK Government’s many objectives ahead of 1 January 2021 (i.e. the end of the transition period following the UK’s departure from the EU) is to obtain an adequacy decision from the European Commission to allow the free flow of data between the UK and EU to continue – any failure to achieve adequacy will lead to logistical challenges and increased costs for organisations engaged in EU-UK data transfers. However, the UK Government will only be granted this adequacy decision if it is able to demonstrate that its domestic laws will provide “essentially equivalent” protection to EU data subjects as they are afforded under EU law when their data is transferred to the UK.

This latest judgment potentially represents a major setback for the UK in relation to obtaining an adequacy decision given the CJEU’s finding that UK security and intelligence agencies’ broad powers to intercept and retain digital communications under the UK’s Investigatory Powers Act, together with the UK’s practices regarding access to and bulk retention of data in general, are essentially incompatible with EU law. The UK Government will need to factor the task of reaching a deal in relation to accessing and retaining Metadata for national security purposes into its Brexit timetable.

Impact on Schrems II

The CJEU’s judgment in the Privacy International case follows its Schrems II judgment, which was handed down earlier this year and served to invalidate the EU-US Privacy Shield, a transatlantic data sharing agreement which allowed organisations to transfer personal data between the EU and the US. Part of the reason for the invalidation of this mechanism was on the grounds that US national security laws were too intrusive and that EU individuals did not have sufficient access to legal redress in the US. In light of this, even if the UK obtains an adequacy decision from the European Commission, a change to UK surveillance laws will surely be needed to avoid a Schrems-style challenge in the future.

Schrems II also placed significant emphasis on the due diligence which exporting controllers and supervisory authorities are expected to undertake in relation to the legal environment of third countries to which personal data is to be transferred in reliance on Standard Contractual Clauses, although there has been scant guidance to supplement this aspect of the judgment to date.  By clarifying what it deems to amount to acceptable access and retention of Metadata by security and intelligence agencies in member states, the CJEU’s latest judgment does at least provide an indication of the standard that it expects the national security and surveillance laws of third countries to meet for the purposes of this due diligence.

Duc Tran

Duc Tran
Senior Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2954

Julia Ostendorf

Julia Ostendorf
Trainee Solicitor, London
+44 20 7466 2154

Schrems II: Standard Contractual Clauses Are Valid

The Advocate General (“AG“) of the Court of Justice of the European Union (“ECJ“) has recommended that the Standard Contractual Clauses (“SCCs“) should remain a valid mechanism to legitimise the transfer of personal data to third countries. However:

Continue reading