Now that the UK has left the EU, we are automatically considered a ‘third country’, that is, an outsider to the EU arrangements over data protection.
Anyone within Europe who sends or receives data to a third country needs to ensure that additional protections are in place. They are not allowed to rely on the laws of that third country, *unless* the EU has made a ‘finding of adequacy’ under which that country can be treated as though it is within the EEA.
To allow time for the finding of adequacy to be considered and granted to the UK post-Brexit, a ‘bridge’ (transition period) was put in place which would allow business to continue as usual. This bridge expires on 30 June 2021 when everyone anticipated it would be replaced by finding of adequacy as a long-term arrangement between the EU and the UK covering data protection and the transfer of personal data.
Many people assumed that the finding of adequacy would be a simple process. However, the EU announced they would only grant this to the UK for a four-year period, despite other countries having open-ended adequacy decisions. Also, the process isn’t simple, and it isn’t through yet even though we are now in mid-June.
The bridge could be about to collapse or close. This will affect any business who sends or receives personal data to or from the EEA, or who has or targets EEA-based customers.
In Europe, the EU Commission put forward a draft adequacy finding to the European Parliament for approval on 28 May. MEPs rejected this by a majority vote, and supported a resolution to revise the draft.
They highlighted several areas of concern.
Bulk access practices…
The MEPs highlighted some exemptions from the UK’s GDPR rules which apply in relation to security and immigration services, so those services can access and hold bulk data without establishing whether or not a person is suspected of a criminal offence.
With this, come two related concerns…
Firstly, the MEPs considered this was inconsistent with the EU GDPR (allowing broad access to data without a basis for suspicion).
Then, in relation to ‘onward transfer’, this relates to whether the UK arrangements with other countries to which it may transfer data received from the EEA, meets EU standards when being transferred on.
So, for example, the UK and the US have a data-sharing arrangement, but the US is considered by the EU to fall short of adequate data protection standards, and thus additional safeguards have been required prior to Brexit before transferring personal data about EEA based individuals. Post-Brexit, the MEPs saw the UK no longer required by EU law to insist on those extra safeguards.
This is heightened by the fact that the UK has applied to join the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP). This would imply the UK having data-sharing arrangements with other countries, some of which are not considered to provide adequate data protection by the EU.
Meanwhile, a couple of trials are going through the court system in Europe and the UK that impact these issues. Both of them came to judgement at the end of May…
On 25 May, the European Court of Human Rights reached its second decision in a case that originated with the Snowden Affair called “Big Brother Watch and Others v the UK“. BBW challenged the legality of the rules allowing bulk interception of data under the Investigative Powers Act 2016.
The European Court of Human Rights agreed with BBW, and found the powers flout articles 8 and 10 of the Convention and so are unlawful, largely because the UK regulations didn’t provide enough safeguards against risks of abuse of powers.
In the UK…
Another case reached the Court of Appeal which relates to changes brought by the Open Rights Group and Others against the exemptions from some of the controls that the Home Office is relying on when handling immigration data.
The Court of Appeal held that exemptions to paragraph 4 of the Data Protection Act 2018 have wide-ranging unlawful implications, particularly in the context of the Windrush scandal.
It wasn’t just the Information Commissioner’s Office but also the charity Liberty (of which I am a member) that intervened and made submissions to court in this case.
A further decision now needs to be made in a separate hearing about what relief the court will grant to the application of these regulations, and - given that the finding (in the first decision) is that they are unlawful - further claims for relief and so further decisions are likely to follow and to have the effect of refining and defining the extent to which the exemptions can be lawfully used… or not.
With all that in mind, and in spite of the potentially negative impact on the UK’s relationship with the EU, it seems unlikely that the government will have time to dash in a change in the regulations before the end of June.
Impact on business
It all increases pressure on the government to improve regulation in these respects and put considered arrangements in place with non-EEA countries.
The European Parliament, the Court of Human Rights, the Court of Appeal – all this may seem quite remote to you as a director, shareholder or business-owner.
But it does matter.
We’re in mid-June, and the bridge could close or collapse at the end of this month unless there is an agreement to extend it OR the European Parliament is persuaded that changes and protections are put in place and they grant the adequacy decision in favour of the UK.
If the bridge closes…
Any business that sends or receives data between the UK and the EEA will need to put in place the same kind of arrangement they have previously put in place when dealing with non-EEA jurisdictions.
This is primarily likely to mean:
- Adding standard contractual clauses – you’ll need to check they comply with both UK and EU law to make them workable; OR
- Including binding corporate rules – again, check both sets of law to reassure yourself they work; AND
- putting in place operational safeguards that you’ve not previously needed when dealing with data originating from or being processed to the EEA.
It’s worth noting that the European Commission issued a press release at the end of May recommending that the National Data Protection Authority should suspend personal data transfers between their respective countries and the UK if the EEA standards of data protection could not be assured.
This is therefore also a possibility when we get to the end of June.
It’s not all bad news
My personal view is, if this pressure has the effect of the UK retaining safeguards and standards in these areas equivalent to the EU regulations and thus we get and retain the ,finding of adequacy, that would be better than becoming excluded, and perhaps starting a race to the bottom.
I am sure the Government’s lawyers are hoping to get this over the line by the end of June, but I fear it will be different. The timing for business is very sharp. So you will need to plan for the best and be prepared for the worst.
As always, if you need any help, please let me know.