As part of its preparations for a potential “no deal” scenario when the United Kingdom (UK) leaves the European Union (EU) on 29 March 2019, the UK Department for Digital, Culture, Media and Sport (DDCMS) has released guidance on “Data protection if there’s no Brexit deal”.
Is the UK “Adequate”?
Whilst the UK remains part of the EU, there are currently no restrictions against transferring personal data (without consent from the individual) to the UK. These restrictions apply to data transfers outside Europe, other than to certain “adequate” countries such as Canada or Switzerland or if the importing business has a legally permissible mechanism such as model clauses or binding corporate rules in place or the Privacy Shield. On its exit from the EU, the UK will become a “third country”, meaning that unrestricted cross-border transfers of data will no longer automatically be able to take place between the UK and the EU.
The UK is directly subject to the European General Data Protection Regulation 2016/679 (GDPR). It has supplemented the GDPR with the Data Protection Act 2018 (DPA 2018). When the UK leaves the EU, it will implement the GDPR directly into domestic law through the European Union (Withdrawal) Act 2018, resulting in the UK having equivalent data privacy laws compared to the remaining EU member states. See our previous LawFlash on the implications of Brexit for data privacy.
The DDCMS highlights in its guidance paper that if the European Commission deems the UK’s level of personal data protection to be equivalent to that of the EU, the European Commission would make an “Adequacy Decision” allowing the transfer of personal data to the UK without restrictions. In the event that the European Commission does not make an Adequacy Decision regarding the UK, the DDCMS states that the most relevant legal basis would be to implement standard model clauses. The UK government is, however, very much reliant on a fast-track Adequacy Decision being part of successful Brexit negotiations. In the event of “no deal”, no such determination is likely to be forthcoming.
Lawful Data Transfers
Under the GDPR, data transfers to third countries are permissible where there is an appropriate safeguard or permitted derogations.
Safeguards may be provided by way of the following:
- A legally binding and enforceable instrument between public authorities
- Binding corporate rules (BCRs) approved by a data protection authority
- Standard contractual clauses adopted by the European Commission
- Standard contractual clauses adopted by a supervisory authority and approved by the European Commission
- An approved code of conduct
- An approved certification mechanism
- The EU-US/Swiss-US Privacy Shield arrangement
The permitted derogations are the following:
- The individual has explicitly consented after being informed of the risks of the transfers due to the absence of an adequacy decision and appropriate safeguards
- Necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request
- Necessary for the performance of a contract made in the interests of the individual between the controller and another person
- Necessary to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent
- Necessary for important reasons of public interest or to establish, exercise, or defend legal claims
- The transfer is made from a public register which is intended to provide information to the public and specific conditions are fulfilled
- The transfer is in the controller’s legitimate interests. This can only apply if no other derogations are applicable; in respect of occasional transfers concerning only a limited number of data subjects which are necessary for the legitimate interests of the data controller. The data controller is additionally required to provide appropriate safeguards for the personal data and to inform both the supervisory authority and the data subjects of the transfer. The assessment and the safeguard applied must be documented in accordance with Article 30 of the GDPR. Its application is likely to be of limited use for many data controllers
UK’s Approach to Surveillance
There are some notable differences between the UK and remaining EU member states in their approach to state powers of monitoring and interception. The UK’s Regulation of Investigatory Powers Act 2000 (RIPA) and the new successor legislation, the Investigatory Powers Act 2016 (IPA), some of which is yet to be brought into force, remain controversial. The European Court of Human Rights (ECHR) recently ruled in Big Brother Watch and others v United Kingdom that aspects of the UK's surveillance regimes under RIPA breached the European Convention of Human Rights (the right to privacy and the right to freedom of expression). The applications to the ECHR followed Edward Snowden's 2013 revelations about the existence of surveillance and intelligence sharing programmes operated by the UK and US intelligence services. The applicants in this case believed that their electronic communications and/or communications data were likely to have been intercepted or obtained by the UK intelligence services. The ECHR analysed three different types of surveillance: the bulk interception of communications, intelligence sharing, and the obtaining of communications data from communications service providers.
Although governments have a margin of appreciation in deciding what kind of surveillance scheme is necessary to protect national security, the operation of such systems must meet basic minimum safeguards. The ECHR held by a majority that there was inadequate oversight at various stages of the operation and no real safeguards governing the selection of related communications data for examination. Therefore, there was a violation of the right to privacy. The ECHR held by a majority that the regime for obtaining communications data from communications service providers also violated the right to privacy as it was not in accordance with the law. Both the bulk interception regime and regime for obtaining communications data from communications providers infringed the right to freedom of expression as there was insufficient protection for journalistic sources or confidential journalistic materials. The regime for intelligence sharing with foreign governments, however, did not infringe the rights to privacy or freedom of expression.
The European Commission is likely to take into account the UK’s surveillance regime when assessing if the UK is “adequate” and the UK government may need to consider legislative changes to IPA, particularly in light of the Big Brother Watch case.
Applying for Adequacy Decision
The usual process for applying for an Adequacy Decision is lengthy.
It seems unlikely that an Adequacy Decision for the UK will be granted without a wider deal on Brexit and a fast-tracked determination, because usually (a) such decisions are made in respect of third countries, which the UK will become only upon Brexit; and (b) the Adequacy Decision process can be quite lengthy. For example, it took 42 months for the European Commission to issue an Adequacy Decision for Israel, 27 for Andorra, 17 for Argentina, and four years for New Zealand. Japan has only recently (in July 2018) successfully obtained its Adequacy Decision, after many years of discussions, and an agreement on trade. It is certainly realistic that the differences between the EU data protection framework and the DPA 2018, as well as IPA, may cause the European Commission to decide against the adequacy of the UK regime on the basis that they undermine the overall EU data protection regime. An Adequacy Decision is, in any event, not granted in perpetuity and if it is granted, any changes to the UK Data Protection Regime post-Brexit might cause the European Commission to reassess its decision at the next adequacy review.
Although the UK government has referenced the use of model clauses for data transfers from the remaining EU member states to the UK in the absence of an Adequacy Decision in the DDCMS announcement, the validity of model clauses is currently under judicial challenge in a case involving Max Schrems and Facebook Ireland. If they are invalidated by the Court of Justice of the European Union, an alternative basis for data transfers will need to be found for data transfers to the UK and elsewhere outside Europe. The EU-US/Swiss-US Privacy Shield is due for its second annual review in October. The other alternative for the free-flow of data outside Europe is binding corporate rules, which can take some time to implement and need the approval of one of the European supervisory authorities which can, of itself, take a year or longer to obtain.
In this late stage of Brexit negotiations, there is still no certainty as to whether the UK will be granted an Adequacy Decision. As such, UK organisations should start thinking of alternative arrangements that will need to be put in place in order to ensure that data can flow in a practical manner to the UK where a permitted derogation does not apply. Other than binding corporate rules, the options of approved codes of conduct, approved privacy seals, and/or certifications will likely need to be considered by European organisations. The ICO has announced that trade associations and sector representatives can create codes of conduct for its approval and where a code of conduct covers more than one country, the European Data Protection Board (formerly the Article 29 Working Party) will submit its opinion to the European Commission for approval. The ICO has also announced that it will publish accreditation requirements for certification bodies to meet. The European Data Protection Board published draft guidelines on accreditation for certification bodies which were open for consultation and the supervisory authorities are still considering the responses. This further increases the pressure on the UK government to agree to a Brexit deal that includes a determination of adequacy for the UK.