29 October 2020 - Post by:David Smith
EU officials were reported recently in the media as saying that there are two key issues standing in the way of an adequacy finding for the UK. These are the use of data by the UK intelligence services and the potential “onward flow” of data from the UK to countries such as the US. Apparently Downing Street is still hoping for a positive decision from the European Commission before the end of the year even though EU officials’ concerns over future rules governing access to data by UK national security authorities have been heightened by the Schrems II ruling of the Court of Justice of the European Union (CJEU). And these reports of EU concerns came before the CJEU’s latest ruling in a case brought by Privacy International on the legality of UK legislation authorising the acquisition and use of bulk communications data by the UK’s security and intelligence agencies.
It is not entirely clear whether the concern of EU officials about onward transfers is confined to the onward transfer of personal data obtained by the UK intelligence services or is a more general concern about the potential for onward transfer from the UK of any personal data that has been transferred from the EU to the UK. Indications are though that it is the latter, given that the concern is reported in the context of the publication of The UK National Data Strategy in which the Ministerial Foreword commits generally to, “…encouraging the international flow of data across borders…”.
Before going on to discuss the concerns of EU officials in more depth it is worth recalling that the UK is, in fact, looking for two adequacy findings from the EU. There is a finding under Art 45 of the GDPR for the transfer of EU personal data within the scope of that Regulation and there is a finding under Art 36 of the Law Enforcement Directive for the transfer of EU personal data within the scope of that Directive. These two findings are not inextricably linked. The UK could be found to be an adequate destination under only one regime, under both or not under either. The following discussion is nevertheless focused on adequacy under the GDPR.
Access and Use by UK Intelligence Services
In earlier posts touching on this subject I suggested that although the surveillance activities of public authorities in the UK will inevitably cast a dark cloud over any consideration of the UK’s adequacy they might not stand in the way of a positive finding. There I pointed to the significance of the UK remaining a party to the European Convention on Human Rights (ECHR) and within the jurisdiction of the European Court of Human Rights. This means that, regardless of Brexit, the UK’s surveillance regime still has to satisfy basic human rights requirements and will continue to be open to external legal challenge if it does not do so. I even commented that the UK’s case for adequacy was given a boost by the Opinion of the Advocate General (AG) of the CJEU in the Schrems II case. In his Opinion the AG had indicated that as EU law does not apply to national security measures implemented by the state the ECHR does indeed constitute the relevant framework for evaluating whether the access of a third country’s public authorities to transferred personal data poses a barrier to an adequacy finding for that country.
Since then the CJEU has turned the dark cloud distinctly black. First we have the Schrems II decision in which the Court declined to follow the AG’s reasoning and ruled that the standard against which access by a third country’s public authorities should be assessed is that of the GDPR read in the light of the Charter of Fundamental Rights of the European Union rather than the less specific and arguably less stringent requirements of the ECHR. Despite this tightening of the noose I suggested in a post on the Schrems II decision that all might not be lost for the UK given that the UK system goes much further in providing safeguards, enforceable rights and effective legal remedies for data subjects than the US system that the CJEU was focussing on in Schrems II. The question was whether these measures would be sufficient to satisfy the European Commission.
The Privacy International Case
Now we have the CJEU’s decision in Case C-623/17 to add to the mixture. This case involved a reference to the CJEU from the UK’s Investigatory Powers Tribunal in a case brought by the civil society group, Privacy International against the UK Government. Here the CJEU ruled that:
- National legislation enabling a State authority to require providers of electronic communication services to forward traffic data and location data to the security and intelligence agencies of that State for the purposes of safeguarding national security falls within the scope of EU law and, in particular, the Directive on privacy and electronic communications.
- That Directive, read in the light of the EU Charter of Fundamental Rights, must be interpreted as precluding national law that enables a State authority to require providers of electronic communication services to carry out the general and indiscriminate transmission of traffic data and location data to that State’s security and intelligence services for the purpose of safeguarding national security.
In essence the CJEU has said that UK law permitting the bulk collection of communications data by the UK’s intelligence services is incompatible with EU standards of protection as set out in the privacy and electronic communications Directive and the EU Charter. Viewed in the context of a potential adequacy finding for the UK the CJEU has ruled that the surveillance system in the UK suffers from a similar defect to the one in the US system that led the Court to strike down the adequacy decision for the US Privacy Shield. The general and indiscriminate nature of surveillance powers, does not satisfy the requirements of the EU’s principle of proportionality.
The fact that Privacy International was able to bring a case against the UK Government in the Investigatory Powers Tribunal may help to demonstrate to the European Commission that, unlike in the US system, examined by the CJEU in Schrems II, the legal order surrounding UK surveillance does provide for access to effective legal remedies. Nevertheless, the lack of proportionality in the bulk information gathering powers, as identified by the CJEU in the Privacy International case, call in to question how the UK will be able pass the test of “essential equivalence”, given how this test has been developed and extended by the CJEU in Schrems II and earlier case law. Of course, there could be a change in UK law to accommodate the CJEU’s ruling if this does indeed prove an obstacle to adequacy but, given the context of Brexit, the likelihood of this must be questionable.
Onward Data Flows
Under Art 45 of the GDPR the elements that the European Commission is required to take into account when assessing the adequacy of a third country’s system include, “rules for the onward transfer of personal data to another third country…”. On the face of it, this should pose little problem for the UK. Once the transition period ends the UK’s own law will mirror the GDPR meaning that the UK will be applying the same “adequacy” requirement for transfers of personal data onwards from the UK to other third countries that the EU applies to transfers from the EU to the UK. It will even be the case that the CJEU’s existing case law, including the Schrems II and Privacy International decisions, will become part of “retained case law” in the UK. The UK Government will therefore have to respect relevant CJEU case law when applying the international transfer provisions of the UK GDPR, unless the such case law is overruled by either a decision of the Supreme Court or, as the Government has recently confirmed, by the Court of Appeal, or by another court or tribunal that is specifically authorised under regulations to overrule it. What could possibly go wrong for the UK?
The UK Government’s National Data Strategy
Perhaps the European Commission’s apparent concern about onward transfers is that despite this legal framework the UK will nevertheless, when it comes to applying the law in practice, impose less stringent requirements for transfers from the UK to other third countries than the EU would itself impose on transfers to those countries thus creating a backdoor route for EU exporters. If so the Commission’s concerns could have been heightened by the publication, for consultation, of the UK Government’s National Data Strategy. This says that:
“ We will work globally to remove unnecessary barriers to international data flows. We will agree ambitious data provisions in our trade negotiations and use our newly independent seat in the World Trade Organisation to influence trade rules for data for the better. We will remove obstacles to international data transfers which support growth and innovation, including by developing a new UK capability that delivers new and innovative mechanisms for international data transfers. We will also work with partners in the G20 to create interoperability between national data regimes to minimise friction when transferring data between different countries.”
The “unnecessary barriers” that the Government is referring to here may not be confined to international flows of personal data but, in so far as they do relate to such flows, the European Commission may well take a different view of what would amount to an unnecessary barrier. They may wonder just what the UK’s “new and innovative mechanisms for international data transfers” might be and how far these will be compatible with the GDPR and the EU Charter. Furthermore the EU has always resisted the idea that the protection of personal data can be a negotiable element in international trade agreements concerning, as it does, the protection of fundamental rights.
The ICO’s Guidance
The European Commission might also be concerned about the ICO’s guidance on international transfers under the GDPR. In this guidance, the ICO draws a distinction between what it refers to as “restricted transfers” to which all the requirements of Chapter V of the GDPR apply and other transfers which are therefore unrestricted and to which these requirements do not apply. Essentially, the ICO’s approach is that if the processing of personal data remains subject to the GDPR after transfer, as a result of the extra territorial reach of the GDPR, then transfer of the data outside the EU does not need to be restricted because such a transfer ought not to undermine the level of protection provided by the GDPR.
This approach has been called into question before now, as failing to ensure sufficient protection for the transferred personal data once they have left EU territory. Apparently it was discussed by the EDPB but has not been endorsed by them and is not reflected in the EDPB’s guidelines on the GDPR’s territorial scope. The ICO’s approach now looks increasingly out of place in the light of the Schrems II judgment. Simply because the transferred personal data might continue to be subject to the GDPR when in a third country does not mean that data subjects are necessarily, “afforded a level of protection essentially equivalent to that guaranteed within the European Union”. The fact that the data remain subject to the GDPR may provide some measure of safeguarding but the GDPR will not, in itself, ensure that the country’s public authorities act proportionately in demanding access to data or give data subjects enforceable rights or effective legal remedies against these authorities. The thinking behind the ICO’s approach was that the restrictions on international transfers in Chapter V of the GDPR only have to be applied in so far as they are needed “to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”. It follows from the Schrems II judgment that the required level of protection will not be guaranteed simply because the transferred personal data continue to be subject to the GDPR is the destination country.
What is Required for Adequacy?
Of course, the ICO could always change its guidance if this is necessary for the UK to achieve an adequacy finding. It is not, though, entirely clear what standard the European Commission will now be requiring third countries to meet in relation to onward transfers to other third countries, if they are to be subject to an adequacy decision by the Commission. Art 25 of the GDPR makes it clear that any assessment of adequacy must take account of “…data protection rules….including rules for the onward transfer of personal data to another third country or international organisation….”. Arguably, it follows from Schrems II that if EU data subjects are to continue to be “afforded a level of protection essentially equivalent to that guaranteed within the European Union” the standard that the judgment sets for transfers of personal data from the EU to a third country must apply equally to any onward transfer of that personal data to another third country. Does this mean that to be “adequate” any country will now have to guarantee that personal data received from the EU will only be passed on to another third country once there has been a positive assessment, to the standard set by the CJEU in Schrems II, of the that country’s legal system. If so this is indeed a high standard.
Such a high standard may sit uneasily with the commitment in the UK’s National Data Strategy to remove unnecessary barriers to international data flows but the UK will nevertheless have to comply with the Schrems II ruling during the rest of the transitional period and beyond, in so far as Schrems II remains part of retained case law in the UK. Assessing the legal systems of third countries relating to access by public authorities will not therefore be an alien concept in the UK. How might it be viewed though by those third countries with an existing adequacy finding that they hope to have renewed or by those with an ambition to achieve an adequacy finding for the first time. Might this prove a step too far for them?
Even were the UK to get a green light in the European Commission’s assessment the timetable to deliver a confirmed adequacy decision looks increasingly challenging. The following stages will all need to be completed before any adequacy finding can be finalised.
- A draft European Commission decision
- An Opinion by European Data Protection Board
- A vote by Member States in the Standing Committee
- Adoption by the College of European Commissioners
Perhaps it is just possible that all these requirements could be met before the end of the year despite the EDPB, at the very least, being unlikely to be willing to sacrifice thoroughness for expediency in developing its opinion. As always the political climate will be important. If a trade deal is agreed between the UK and the EU maybe all the stops can be pulled out in order to deliver an adequacy finding in time. Or, if this isn’t achievable perhaps there could be some sort of interim fix to maintain the status quo for international transfers between the EU and the UK until the adequacy process can be completed. On the other hand if there is no trade deal then the prospects for any early adequacy finding for the UK do indeed look bleak.