Data Protection Interregnum under the EU-UK Trade and Cooperation Agreement (TCA)
The 1st January 2021 came and went, yet data flows continued seamlessly between the European Union ("EU") and the United Kingdom ("UK"), alleviating years of concerns around business and trade disruption born in the aftermath of the Brexit Referendum in June 2016.
Ever since the question of EU-UK data flows came to the forefront of the Brexit negotiations, it has been clear that the best way to maintain data flows between the EU and the UK following Brexit is to obtain EU adequacy. An assessment of adequacy from the EU Commission would recognise that that UK data protection laws provide standards that are "essentially equivalent" to the EU laws ("EU Adequacy"). However, the EU Commission, stated early in the Brexit negotiations that it would only start its unilateral adequacy assessment, under both the General Data Protection Regulation ("GDPR") and the Law Enforcement Directive ("LED"), once a deal had been reached.
That assessment is now underway and, in the meantime, the fate of data flows between the UK and the EU in the long-term remains unknown.
However, in the short-term, the Trade and Cooperation Agreement (TCA) agreed by the UK, the EU and EURATOM on 24 December 2020 as part of the Brexit deal including the Nuclear Cooperation Agreement and the Security of Information Agreement ("Brexit Deal"), has established an interim cross-border data protection regime. The TCA has been provisionally applicable since 1 January 2021 and is expected to be formally ratified by the European Parliament by 28 February 2021.
We look first (1) at the nature and implications of the interim data protection regime established by the TCA before considering (2) the merits and challenges for the UK's data protection laws to be granted EU Adequacy.
I. THE INTERIM DATA PROTECTION REGIME UNDER THE TCA
From 1 January 2021, the UK data protection laws are as follows:
- the EU GDPR, which is an EU Regulation, no longer applies directly to the UK;
- the UK GDPR is established by the European Union (Withdrawal) Act 2018, which incorporates the body of EU law in place on exit-day, including the GDPR ("Retained EU Law") into UK law ("UK GDPR"). The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 ("DP Brexit Regulations") amend the GDPR (as it forms part of the Retained EU Law) and the Data Protection Act 2018 ("DPA 2018"), as they replace GDPR provisions and EU references with UK references; and
- the UK GDPR sits alongside an amended version of the DPA 2018, as shown by the Keeling schedules.
In practice, the UK has been a third country since officially leaving the EU on 1 February 2020. The Withdrawal Agreement allowed for a Brexit Transition Period, whereby the UK remained a member of the single market and customs union and as such continued to be subject to EU rules. As a result, despite the UK ceasing to be a member of the EU, transfers continued to be permitted without additional safeguards. However, that period came to an end on 31 December 2020.
The TCA now includes data protection provisions which seem to override the legal status of the UK as a third country and establishes a new temporary UK-EU data protection regime. This short period of grace has been granted solely to allow the EU Commission to complete its assessment of the adequacy of UK data protection laws.
In this regard, the TCA includes a creative bridging mechanism for data transfers, which is meant to address the significant disruption that data flows would have suffered if the UK had become a third country in practice without being granted adequacy. The TCA also includes commitments to respect UK's new found sovereignty and right to regulate privacy and data protection laws within its territory.
A. Data Transfers in the Interim Period
The TCA specifically addresses data transfers from the EU and the European Economic Area ("EEA") to the UK. From 1 January 2021, the TCA establishes a four month "Specified Period" during which transfers of personal data from the EU/EEA to the UK are allowed without any additional safeguards. During this period, according to Article FINPROV.10A.1 of the TCA, "the transmission of personal data from the Union to the UK shall not be considered as transfer to a third country under Union law".
In a nutshell, the free flow of data from the EU/EEA to the UK may continue during this Specified Period for four months; with an automatic extension of two further months if necessary, up until 30 June 2021 at the latest ("the Bridge" or "Bridge Period").
However, the UK is subject to two main conditions during this period:
- the UK data protection law in force on 31 December 2020 must continue to apply and in particular such law as it is saved and incorporated into United Kingdom law by the European Union (Withdrawal) Act 2018 and as modified by the DP Brexit Regulations; and
- the UK must not exercise its designated powers without consent of the new EU-UK Partnership Council. Designated powers refer to the ability to approve new transfer mechanisms such as standard data protection clauses, Codes of Conduct, BCRs etc.
The TCA does not address data transfers from the UK to the EU/EEA as that is a matter for UK laws. The UK Government and the Information Commissioner ("ICO") have confirmed that the UK currently considers all EEA jurisdictions, as well as all jurisdictions which have been granted EU Adequacy, as having an adequate level data protection. Data flows from the UK to the EU/ EEA will be authorised to continue until further review in 2024.
B. Additional Data Protection Commitments
The TCA highlights the importance of data protection rules and the commitments of the parties to ensure a high level of data protection in several places, including in relation to cooperation in Part Six, Title II (Dispute Resolution), by stating:
"The Parties recognise that individuals have a right to the protection of personal data and privacy and that high standards in this regard contribute to trust in the digital economy and to the development of trade, and are a key enabler for effective law enforcement cooperation. To that end, the Parties shall undertake to respect, each in the framework of their respective laws and regulations, the commitments they have made in this Agreement in connection with that right."
Under the TCA the UK and EU make a number of mutual commitments not to restrict cross-border data flows, including:
- not to require the use of computing facilities or network elements in either party's territory for processing, or the use of locally certified or approved computing facilities;
- not to adopt any data localisation requirements; and
- not to prohibit the storage or processing in the territory of the other party.
These commitments will be subject to a review and assessment within three years.
The TCA also provides for:
- the cooperation on DNA, fingerprint and vehicle registration data;
- rules on the sharing of Passenger Name Records and criminal record information; and
- the obligation to ensure that individuals are protected against unsolicited direct marketing communications.
To ensure that those fundamental guarantees effectively bite, there are dedicated suspension and termination rights for the EU in the TCA.
The violation of any such data protection commitments could trigger the right for a party to suspend all or any part of the law enforcement and judicial cooperation provisions in Part Three, as these may be triggered "in the event of serious and systemic deficiencies" by a party including "where those deficiencies have led to a relevant adequacy decision ceasing to apply" by either party. Suspension would be triggered if, for instance, the UK decides to no longer give effect to the European Convention of Human Rights in its domestic laws so that individuals can no longer effectively rely on it before domestic courts, or when an adequacy decision falls away.
Furthermore, should the UK decide to denounce the European Convention of Human Rights, the EU has the right to terminate Part Three on Law enforcement and judicial cooperation in criminal matters, on the date the denunciation becomes effective.
Clearly, the Bridge Period intends to freeze the status of the UK as at the end of 2020 and delay transfer restrictions (Chapter V of the GDPR) pending EU adequacy. Therefore, it is unlikely that, in such a context, any of the requirements applying to data transfers to third countries established by the European Court of Justice ("CJEU") Judgement on Schrems II dated 16 July 2020 are intended to apply to transfers to the UK – even though it would be perfectly sensible legally stricto sensu to consider them to apply given the UK is effectively a third country without an adequacy decision.
While the Bridge is a mechanism, which may well have perfectly reasoned and logic political foundations, it remains a fragile legal construction open to legal challenges. From a legal point of view, the provisions of the TCA do not override the legal status of the UK as a third country and it is not clear why the provisions related to the Bridge are incorporated in the TCA as opposed to a separate declaration in the EU-UK Joint Declarations. Yet, considering the brevity of the Bridge Period, it is doubtful that it will be challenged in court as the opportunity to launch any meaningful legal challenge would undoubtedly come were the UK be granted EU Adequacy at the end of the Bridge Period.
II. THE UK'S LONG ROAD TO ADEQUACY
The EU Commission has publically expressed its intention to issue its decision with respect to an adequacy decision for the UK in the first weeks or months of 2021 – acutely aware that it is key for the continued flow of personal data into the UK once the Bridge expires. The LIBE Committee on Civil Liberties, Justice and Home Affairs, which debated UK Data Adequacy on its session of the 14 January 2020, has confirmed that a decision should be issued within the Specified Period with a proposal being submitted to the EDPB imminently in the next few weeks.
A. The Arguments in Favour of the UK's EU Adequacy
A number of provisions in the TCA refer to adequacy and seem to lay down the foundation of a potential future adequacy decision of the EU Commission, though it is not at any point presented as the end game or a certainty.
The EU-UK Joint Declaration, published alongside the TCA, includes a political commitment from the EU to secure a favourable adequacy decision for the UK within the near term. Yet, such Joint Declaration is not legally binding.
Perhaps the most compelling argument for the UK's adequacy is that, although there has been sustained criticism against the UK's interpretation of the previous EU Data Protection Directive 1995 and more recently of the EU GDPR, the UK never faced any infringement proceedings from the EU Commission for violation of the EU data protection laws while it was a Member State of the EU.
In such context, as a departing Member State of the EU, it would be difficult to imagine the UK data protection laws being considered, overnight, as not offering an adequate level of protection. The credibility and sustainability of the EU Commission's adequacy procedure may be at stake. Many other countries are queuing up to be considered for EU adequacy, not to mention the ongoing discussions between the EU Commission and the United States following the CJEU's Schrems II decision to invalidate the Privacy Shield, and should the UK be denied adequacy, the standards for adequacy would merely become unattainable.
The relatively short period Bridge Period established by the TCA also suggests that adequacy discussions may not be long and protracted, yet they need to follow the official procedure.
The adoption of an adequacy decision involves:
- a proposal from the European Commission;
- an opinion of the European Data Protection Board (EDPB);
- an approval from representatives of EU Member States; before
- the adoption of the decision by the European Commission.
Should the UK not be granted an adequacy decision by the end of the Bridge Period, the UK will find itself in a situation as if no deal had been reached in respect of data protection.
The question is and remains whether the UK will be granted EU adequacy and, if so, how long the EU Commission would take to adopt the Adequacy decision in the unprecedented context of a previous law abiding EU Member State leaving the EU.
B. The Challenges to the UK's EU Adequacy
Any adequacy decision by the Commission is likely to be put under intense public scrutiny and promptly challenged in the CJEU. Therefore, it will be crucial for the EU Commission to identify and address the main obstacles to adequacy.
In our view, there are three well-known and significant reasons which may seriously jeopardise the UK's adequacy.
1. UK's Surveillance Laws
UK law enforcement under the Investigatory Powers Act 2016 ("IP Act") (the so-called ‘Snoopers’ Charter’) relies on mass surveillance practices including targeted, thematic and bulk interception, equipment interference and communications data acquisition powers. While a majority are subject to prior approval by a Judicial Commissioner, not all are.
As a result, the CJEU has already ruled a few times that the UK’s handling of personal data under the IP Act is not in line with EU law. In 2016, the CJEU issued its judgment in Watson/Tele2 on the existing data collection and retention by the security services which, according to the CJEU, contravened fundamental rights as enshrined in the Charter of Fundamental Rights ("CFR"). It resulted in the IP Act being amended, to include the introduction of prior independent approval of some categories of communications data request.
More recently, the CJEU ruled on 6 October 2020 that mass surveillance by national security agencies is unlawful. The CJEU came to this conclusion in both its judgments in the Privacy International case, and in the Joined Cases, La Quadrature du Net and Others, French Data Network and Others, and Ordre des barreaux francophones et germanophone and Others (referred to as La Quadrature du Net and Others). Both judgments are consistent with the now established case-law on the secondary use of personal data by intelligence services and law enforcement agencies, in particular traffic and location data initially collected by service providers for commercial purposes.
The CJEU judgement in the Privacy International case clarified that EU law sets out privacy safeguards regarding the collection and retention of data by national governments and that UK security agencies’ collection of communications data was subject to EU law and that general and indiscriminate collection of such data was unlawful.
However, it is worth bearing in mind that in the Joined Cases, the CJEU concluded that France and Belgium also engaged in such indiscriminate and unlawful practices. The UK was not an isolated case in the EU. The cases are to be returned to each individual country’s courts for implementation of the judgment.
In January 2019, Japan obtained EU adequacy in spite of its surveillance laws being similar to UK laws, leaving significant hope for UK's adequacy. However, the CJEU Judgement in Schrems II issued earlier in July 2020 invalidated the EU-US Privacy Shield adequacy decision precisely on the basis of unlawful mass surveillance practices.
2. The EDPB Recommendations on European Essential Guarantees
Following the CJEU Schrems II judgement, the EDPB published on 10 November 2020 its long awaited recommendations and updated, in particular, its recommendations on European Essential Guarantees. The introduction to its recommendations includes a stark warning for the UK:
“The [Schrems II] judgment can thus serve as an example where surveillance measures in a third country (in this case the U.S. with Section 702 FISA and Executive Order 12 333) are neither sufficiently limited nor object of an effective redress available to data subjects to enforce their rights, as required under EU law in order to consider the level of protection in a third country to be “essentially equivalent” to that guaranteed within the European Union within the meaning of Article 45 (1) of the GDPR.”
The EDPB makes various references to the judgement in the Privacy International case and concludes that limitations on data protection and privacy rights in EU law may only be justifiable subject to the following legal requirements (the "EEGs"):
• processing should be based on clear, precise and accessible rules;
• Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
• An independent oversight mechanism should exist; and
• Effective remedies need to be available to the individual.
The Privacy International case established that the above requirements were absent in respect to the UK security intelligence agencies’ powers under the Telecommunications Act 1984, and subsequently the IP Act, to collect communications data.
As a result, part of the assessment of UK’s adequacy by the EU Commission will be to consider whether or not the EEGs are satisfied as part its wider considerations as to whether UK’s legislation as a whole offers a level of protection essentially equivalent to EU laws.
3. The Immigration Control Exemption in the DPA
The DPA 2018 may also raise concerns. The Joint Committee on Human Rights of the UK Parliament questioned in its report published in January 2018 whether the Act (then a bill) “offers protection that is equivalent to” the EU Charter of Fundamental Rights. Of serious concern is the exemption in the Act of data protection rights in areas relating to immigration control. It is highly probable that this contravenes to the EU fundamental rights protections.
The question remains how far the UK is willing to amend the IP Act and reconsider the immigration control exemption to secure adequacy and whether the UK would be granted adequacy conditional upon doing so.
III. PRACTICAL STEPS
1. ICO Recommendations
Notwithstanding the interim regime, given the relatively short term of the Bridge Period and uncertainties around whether the UK will be granted adequacy at the end of the period, organisations should treat data transfers from the EU/EEA to the UK as transfers to a third country subject to appropriate safeguards.
The ICO said in its statement of 28 December 2020 in response to the TCA that, as "a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data."
2. The EDPB Information Note
Furthermore, the EDPB's information note on data transfers after the transition period, dated 13 January 2021, effectively confirms that appropriate safeguards and the Schrems II decision will be relevant to transfers to the UK, in the absence of an adequacy decision.
Accordingly, UK and EU organisations should:
• Review their data maps and identify any personal data transfers between the UK and EU/ EEA organisations, or circumstances in which they may be given access to EU/ EEA personal data.
• Assuming a derogation does not apply, consider an appropriate mechanism for the transfer of data to the UK. In many cases, this is likely to be the standard contractual clauses ("SCCs") – and it is worth noting that it is still possible to use the existing EU SCCs, until the UK issues its own SCCs. However, it is anticipated that during 2021, new EU SCCs (which were published for consultation between November and December 2020) will be formally issued, as well as new UK SCCs – so, it may be helpful to retain some flexibility in contracts to enter into new SCCs in future.
• Bear in mind that, in the absence of an adequacy decision after the Bridge Period, the UK could be deemed not to offer a level of protection essentially equivalent to EU laws. Therefore, it may be helpful to consider, and be prepared to implement, appropriate supplementary contractual, technical and organisational measures, in the same way as might be needed for a transfer to the US following the Schrems II decision and as set out in the EDPB recommendations on European Essential Guarantees.
It is clear that 2021 will be a year where international data flows will be in sharp focus following the CJEU Schrems II judgement, the new Brexit Deal and the forthcoming UK's EU Adequacy.