26 February 2021 - Post by:David Smith
News of the European Commission’s draft Decision that the UK ensures an adequate level of protection for personal data transferred from the EU to the UK can only have been greeted by with a sigh of relief by businesses both in the UK and in the EU. This is the first and most important step on the road to delivering a final Decision enabling data flows to the UK to continue unhindered. Such a Decision should now be achievable by the 30 June deadline imposed through the UK-EU Trade and Cooperation Agreement. Nevertheless, the road ahead up to adoption of the Decision and beyond might just be a bumpy one.
Before adoption both the European Data Protection Board (EDPB) and the Committee of Member State representatives referred to in Art 93 of the GDPR have to provide the Commission with their opinions on its draft Decision. The European Parliament does not have a formal role in the process although it may nevertheless express its views by adopting a resolution. Any views that it does express could be influential on the EDPB and, perhaps to a lesser extent, on the Committee of Member State representatives. The final decision though rests solely with the European Commission. In fact, there are two Decisions and therefore two sets of opinions that need to be delivered. As well as the draft Decision on adequacy under Art 45 of the GDPR, which will have the most impact on the business community, and which is the focus of this post, we also have a draft Decision on adequacy under the Law Enforcement Directive. Arguably, it is the latter that could have the bumpier ride given that this will be the first ever EU adequacy decision covering law enforcement data and also that the potential for UK public authorities to have access to and make use of the transferred data could have an even greater significance on any adequacy determination in this sector given the nature of the data at stake.
The European Data Protection Board
There can be little doubt that the EDPB will submit the draft Decision to a thorough examination. Its opinion on the draft adequacy decision for Japan ran to some 40 pages. However, it may not find much to criticise in that part of the Commission’s draft Decision addressing the rules applying to the processing of personal data in the UK. After all, the UK’s rules are essentially those of the GDPR , the same rules that are applied by the EDPB members themselves. The ICO has been party to the bulk of the EDPB’s guidelines on the interpretation and application of the GDPR and these are reflected in the ICO’s own guidance. Furthermore the ICO was, until recently, a trusted partner of the EDPB members. Its work is well known to them and serious doubts about its commitment and effectiveness as a regulator are unlikely to emerge.
The EDPB might just try to pick holes in the UK’s implementation of those GDPR rules where some discretion is left to Member States. These include the conditions for processing special categories of personal data and criminal conviction data set out in Schedule I of the Data Protection Act 2018 and the exemptions from the GDPR set out in Schedules 2, 3 and 4. In particular, the EDPB might pick up on the exemption covering the processing of personal data in connection with immigration controls, which has already come under criticism from civil society organisations and others. One area in which the EDPB and its predecessor, the Article 29 Working Party, have traditionally taken a keen interest when examining adequacy proposals is the rules for onward transfer. They will want to be sure that EU personal data transferred to the UK, as they would with transfers to any third country, cannot then be transferred on to another third country where the level of protection is significantly lower. Here, as discussed in earlier posts, they could call into question the distinction that the ICO draws in its guidance between “restricted transfers” and, by implication unrestricted transfers, a distinction that is not reflected in the EDPB’s own guidelines. Particularly now that we have Schrems II, there seems to be a degree of inconsistency between the EU approach and the UK approach whereby transfers to third countries are able to take place without restriction if, by virtue of its extra territorial extent, the GDPR will continue to apply to the transferred data once they reach their destination, without there being any need for the exporter to carry out a Schrems II assessment or put other safeguards in place. Nevertheless, it seems unlikely that any concern of this nature that the EDPB might have with the rules applying to the processing of personal data in the UK will be so significant as to pose an obstacle to UK adequacy.
That part of the draft Decision addressing access to and use of personal data transferred from the EU by public authorities in the UK is more of an unknown quantity. It forms the bulk of the Commission’s narrative running to some 53 pages out of 87 in the draft Decision. This is also the first draft decision to be developed by the Commission following the Schrems II judgment of the CJEU. It will therefore be interesting to see how the EDPB approaches this aspect of its task. Here we need to bear in mind that whist the background material on the UK’s surveillance regime is extensive and complex the assessment that the Commission has to make is essentially a simple one. It is whether, as the Commission puts it, “any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to the United Kingdom by United Kingdom public authorities for public interest purposes, in particular law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.” It will be surprising if the EDPB does not come up with some critical comments and reservations about the UK’s regime for access to and use of data by its public authorities and maybe also about the associated legal protections for affected individuals. It will though be equally surprising if the EDPB comes up with any significant new arguments that fundamentally call into question the positive assessment that the Commission has set out in its draft decision.
The most likely outcome is that the EDPB opinion will, as it did in the case of Japan’s adequacy finding, come up with some positive comments about convergence between the UK and EU data protection regimes but also identify areas of challenge, setting out points where the EDPB has remaining concerns and points where the EDPB considers that some further clarification is required. The EDPB is though unlikely to come up with either an explicit endorsement or an explicit rejection of the Commission’s conclusions on UK adequacy. Once it has sight of the EDPB’s opinion the Commission can be expected to take some steps to address the EDPB’s concerns and may seek further clarification or assurances from the UK Government. Indeed, it is likely that there has already been some informal discussions between the EDPB and the Commission and the Commission will be present at the forthcoming deliberations in the relevant EDPB sub-group. The Commission may therefore start to take these steps and revise its draft Decision as soon as it becomes more fully aware of the EDPB’s thinking without waiting to receive its formal opinion. The end result could well be some changes to the Commission’s draft Decision but it will be surprising if these are substantial given the apparent thoroughness of the Commission’s underlying analysis of the UK’s data protection regime.
Committee of Member State Representatives
The Committee of Member State representatives will then consider the draft Decision in the light of the EDPB’s opinion and any changes that the Commission might have made in the meantime. This consideration is unlikely to involve the same sort of in depth examination that the EDPB will have undertaken. The Committee may seek clarification on some points but is most unlikely to call the Commission’s conclusions seriously into question. Although the members of the EDPB can, despite their independence, be influenced to varying extents by political considerations in their respective Member States, the Member State representatives are, given the nature of their role, strongly influenced by such considerations. On at least one occasion in the past this has held up the Committee’s deliberations, leading to delay in the adoption of an adequacy decision for reasons that had little to do with any doubts about the level of data protection in the third country under consideration. However, neither the Committee nor its predecessor has ever stood in the way of the eventual adoption of an adequacy decision and there is no reason to suppose that this will happen in this UK’s case. We just have to hope that won’t be any significant political falling out between the UK and any of the EU Member States making up the Committee whilst UK adequacy is under consideration that may put a spanner in the works, even if it is only a temporary one.
The EDPB will undoubtedly take some time to develop its opinion. In the case of Japan, the EDPB took just over two months to do so. It might be able to move more quickly now given that its members will already have a good understanding of the UK’s data protection regime but it won’t want its approach to the UK draft Decision to be or appear to be any less thorough than it would be for decisions relating to other third countries. The fact that the EDPB is working remotely might help speed up the process, especially if there is no major disagreement between members, as sub-group meetings can be convened more quickly and more frequently when their members do not have to travel to Brussels in order to get together. Nevertheless, the expectation is that the EDPB will not deliver its opinion until well into April at the earliest.
With Japan it took nearly two months from the EDPB delivering its opinion to the Commission’s final adequacy decision. The Commission moved quickly then and perhaps it could move just as quickly or even more quickly now but this will depend, in part, on the willingness of the Committee of Member State representatives to get together and conclude its deliberations without undue delay. With its predecessor committee under the Data Protection Directive the difficulty in simply convening meetings led to some substantial delays in the adoption of adequacy decisions. Nevertheless, it is certainly possible for the whole process to be completed by the end of June this year even if it is unlikely to be completed by the end of April. This simply means that the additional two months “bridging period” provided in the Trade and Cooperation Agreement to enable personal data transfers continue without interruption between the EEA and UK will be needed beyond the initial four months that run up to the end of April. Even if, for some reason, the June deadline cannot be met it seems unlikely that, provided everything is still heading in the right direction, the UK and the EU will not be able to pull another rabbit out of the hat to ensure that EU – UK data flows can continue unrestricted beyond the end of June while the final stages of adopting the adequacy Decision are completed.
The Review Provisions
Perhaps the most interesting element of the draft Decision is its review provisions. Here the Commission is proposing the most stringent measures seen to date. As with the Japan Decision the Commission is charging itself with continuously monitoring the application of the legal framework on which the Decision is based. Specific reference is made to monitoring the conditions under which onward transfers from the UK are carried out, cases where the ICO might fail to ensure compliance with the UK’s legal framework and any indications that interferences by the UK’s public authorities with the data protection rights of individuals go beyond what is strictly necessary. There are no surprises here. What singles the draft UK Decision out from other adequacy decisions though is that it is time limited to four years and will then automatically lapse unless it is renewed.
Other adequacy decisions do have a fixed review period. Art 45(3) of the GDPR requires that any decision is subject to a periodic review at least every four years. In the case of Japan although the Commission initially proposed a review every four years the first review period was eventually set at two years in line with the opinion expressed by the EDPB. However, other decisions all remain in force until amended, replaced or repealed by the Commission, the onus thus being on the Commission to demonstrate that the conditions for adequacy are no longer being met. However, in the case of the UK, the Decision will lapse after four years unless formally extended the onus therefore being placed much more on the UK to demonstrate that, after four years, it still satisfies the necessary conditions.
Why is the UK to be treated so differently? As the Commission says in its draft Decision, now that the UK has left the EU, it “will administer, apply and enforce a new data protection regime compared to the one in place when it was bound by EU law. This may notably involve amendments or changes to the data protection framework assessed in this Decision, as well as other relevant developments.” Although put diplomatically this suggests that the Commission harbours suspicions that following Brexit the UK will take the opportunity to make significant changes to its data protection regime, to the extent that these could undermine the adequacy finding. Here, the Commission might not have in mind so much the UK’s commitment to the GDPR as the UK’s broader commitment to the European Convention of Human Rights. Indeed, the Commission highlighted this in its statement accompanying the draft Decision where it said that “It also worth noting that the UK is – and has committed to remain – party to the European Convention of Human Rights and to Convention 108 of the Council of Europe, the only binding multilateral instrument on data protection. This means that, while it has left the EU, the UK remains a member of the European “privacy family”. Continued adherence to such international conventions is of particular importance for the stability and durability of the proposed adequacy findings”.
Clearly any future UK withdrawal from the European Convention of Human Rights and/or the ambit of the associated Strasbourg court, as has been hinted at in the past, could place an adequacy decision for the UK in jeopardy, particularly in relation to safeguards surrounding access to and use of transferred data by the UK’s public authorities. However the question remains as to what lesser changes the UK might be able to introduce to what is now the UK GDPR and to the ICO’s guidance on its application without putting a future extension of the EU’s adequacy Decision at risk. Whatever views might be held on the wider question of Brexit itself many will be hoping that now that Brexit has taken place the UK will, in due course, be able to develop a somewhat more measured approach to at least some aspects of UK data protection regulation without sacrificing the protection that is delivered to individuals in practice. Even without changes to the law the ICO might now be able to follow more closely the pragmatic course on which it has prided itself in the past given that it will no longer be under an obligation to follow some of the arguably more disproportionate and impractical interpretations that the EDPB has placed on the wording and application of the GDPR. The challenge will be to simplify the UK’s data protection regime and focus it more genuinely on risk without either undermining the protection afforded to individuals or going so far as to jeopardise the continuation of UK adequacy. Here it should be borne in mind that requirement for adequacy remains one of delivering “essential equivalence” in data protection outcomes rather than having and maintaining identical or near identical legislation to that applicable in the EU.
Of course any Commission decision is open to legal challenge. No doubt Max Schrems will be examining the draft UK decision closely even though there must surely be greater threats posed to privacy that he could be addressing. After all transfers of personal data from the EU to the UK have been taking place under much the same regime over many years. Little has changed in practice following Brexit even though now the legal basis for transfers might be a different one. Perhaps we will be in line for Schrems III, although more likely it will be Schrems IV, Schrems V or even Schrems VI by the time any case reaches the CJEU. The saving grace is that whatever happens, it is likely to be several years before we reach this stage. Ultimately, if the CJEU fails to recognise that the UK meets the standard of essential equivalence, it is hard to believe that there could be many, if any, other countries that would satisfy its stringent requirements.
It will also be interesting to see how the European Commission now approaches other adequacy determinations in the light of Schrems II. These include the reviews of third countries such as Argentina, Israel and New Zealand that were subject to adequacy decisions prior to the GDPR coming into effect. Presumably any potential decisions will be subject to the same exhaustive examination that has been applied to the UK, particularly in relation to access to and use of transferred personal data by public authorities. How many will pass the test, even amongst those that are currently the subject of adequacy decisions? The UK’s surveillance system might be more extensive that that in many other countries but, as the draft Decision demonstrates, it is relatively transparent, subject to the rule of law and incorporates legal rights for individuals. There must be a question as to how far the surveillance systems in other countries, including perhaps even some EU member states, would fare if they were subject to the same intensive examination that the UK system has faced. Furthermore, the whole process leading up to an adequacy decision must also be extremely resource intensive not just for those third countries under examination but also for the Commission itself. Might some potential candidates conclude that the prize is not worth the effort? Either way it seems that if the adequacy decision for the UK goes through the UK is not likely to have very much company in its place on the EU’s list of adequate countries for some considerable time to come.