For the moment everyone’s attention is on whether the UK will crash out of the EU on 29 March or whether a last minute transitional deal will be agreed. There could even be a delay to Brexit but sooner or later the question will arise as to whether a post Brexit UK can satisfy the European Commission that it ensures an adequate level of protection for personal data transferred from the EU. The UK clearly has much going for it. We have a well established and effective system of data protection based on a law that, post Brexit, will, to all intents and purposes, be the same as the GDPR. We have a genuinely independent data protection authority that is well resourced and has demonstrated its capacity to take strong enforcement action when necessary. What could possibly go wrong for the UK?
Of course politics will come into play. We can but hope that there will be the necessary good will on both sides to ensure that early and speedy consideration of the UK’s adequacy takes place despite the lengthy delays that have been faced by some applicant countries in the past. Political considerations might also impact on the attention given to state surveillance activities in the UK in any assessment of adequacy. Some commentators have suggested that the powers of the UK security services, and, in particular, their bulk interception capability, could stand in the way of an adequacy finding for the UK. How much of a threat is this though?. At first glance it seems like a real threat. In striking down the adequacy decision applying to the US Safe Harbor the CJEU cited US legislation that permitted public authorities to have access on a generalised and unlimited basis to the content of electronic communications and the lack of legal remedies for affected individuals. The extent of state surveillance is clearly a relevant factor. Art 45 (2) of the GDPR requires the European Commission, when assessing adequacy, to take account of, “… the access of public authorities to personal data…” as well as the existence of, “…effective and enforceable data subject rights and effective and enforceable judicial redress….”. Furthermore the recent adequacy finding for Japan mentions assurances given to the Commission about safeguards governing access by Japanese public authorities to transferred personal data for criminal law enforcement and national security purposes.
However the outlook for the UK is not necessarily a bleak one. Despite Brexit the UK will remain a party to the European Convention on Human Rights and within the jurisdiction of the European Court of Human Rights (ECtHR). Thus the UK’s surveillance regime will still have to satisfy basic human rights requirements and will be open to external legal challenge if it does not. This is no different from the position that EU members states are in given that national security activities fall outside the scope of European Union law. The ECtHR has recently had cause to examine the UK’s bulk interception regime in the case of Big Brother Watch and Others v UK. The initial judgment has now been referred to the Grand Chamber and was based on UK investigatory powers legislation that has now been superseded. Nevertheless, whilst the Court found against the UK in several respects, the case clearly demonstrates that the UK is not a law unto itself so far as state surveillance is concerned. Furthermore the Investigatory Powers Act 2016 has already dealt with some of the Court’s concerns and the UK Government’s position in any adequacy discussions will be further enhanced if it can demonstrate that it is now addressing the remainder.
It is also significant that in its judgment the ECtHR recognised the legitimacy of a bulk interception capability if a state considers that it is necessary in the interests of national security and provided that there are adequate and sufficient guarantees against arbitrariness and the risk of abuse. Furthermore the Court also recognised the validity of the UK’s oversight mechanisms including the then Interception of Communications Commissioner and the Investigatory Powers Tribunal (IPT). Specifically it said that, “… as a general rule the IPT has shown itself to be a remedy, available in theory and practice, which is capable of offering redress to applicants…”.
In its Adequacy Referential (WP254) the Article 29 Working Party referred to four guarantees that need to be respected for access to data , whether for national security purposes of for law enforcement purposes, by all countries in order to be considered adequate. These are that;
• Processing should be based on clear, precise and accessible rules (legal basis)
• Necessity and proportionality with regards to legitimate interests pursued need to be demonstrated
• The processing has to be subject to independent oversight
• Effective remedies need to be available to the individuals
Although the ECtHR was not directly applying these tests to the UK’s surveillance regime In the Big Brother Watch case it in effect did so. In its lengthy and detailed judgment, it arguably concluded that they had been satisfied. Furthermore the UK’s position in any consideration of adequacy can only have been boosted by a statement from the UN Special Rapporteur on the Right to Privacy at the end of his mission to the UK in June last year. After previously being openly critical of the UK’s system of oversight of its intelligence services he praised the improvements that had taken place and said that he was satisfied that the UK now goes to great lengths to ensure that unauthorised surveillance does not take place and that authorisation is only given after the necessity and proportionality of the surveillance measure has been demonstrated on a case by case basis. Indeed his press release was headed, “ UK jointly leads Europe and world on privacy after big improvements, says UN rights expert”.
Of course there could be other hurdles to an adequacy finding for the UK, and there is a long way to go yet, but hopefully the surveillance powers of the UK security services will not turn out to be the significant obstacle that some may have feared.