UK Adequacy Guidelines vis-a-vis GDPR and the Schrems II Judgment
Following Brexit[i], the UK is now a “third country” when it comes to data protection. According to the trade deal between the UK and EU, which happened at the end of 2020, transfer of data between the EU and UK was allowed to flow freely for six months i.e., until 30 June 2021. [ii] However, after that, all personal data sent from the EU to the United Kingdom should be properly covered in accordance with the EU General Data Protection Regulation (EU GDPR) and the EU Law Enforcement Directive (EU LED).[iii]
In light of the same, on February 19, 2021, two draft decisions were published by the European Commission where there were findings that the UK law provides an adequate level of protection for personal data.[iv] The first draft talked about allowing private companies in the EU to continue to transfer personal data to the UK without the need for any additional safeguards[v], The second will enable EU law enforcement agencies to transfer personal data subject to Directive 2016/680 of the Data Protection and Law Enforcement Directive (LED) to their UK counterparts.[vi]
Post-Brexit there has been a lot of debate on what all changes will eventually arise in respect of laws, both in the EU, and the UK. As of now, the guidelines issued explicitly mention the adequacy of UK laws in comparison with EU laws. However, few discrepancies have also been noticed. Herein forth, the draft decisions shall be discussed along with the applicable rules of GDPR in light of the Schrems II judgment which talks about invalidation of US-EU privacy shield and adequacy.
UK adequacy decision
According to Article 45(3) of Regulation (EU) 2016/679, the Commission may determine, by means of an implementing act, that a third country, a territory, or one or more designated sectors within a third country or an international organization shall ensure an adequate standard of security. Under this condition, transfers of personal data to a third country take place without the need for further authorization, as provided for in Article 45(1) and recital 103 of that Regulation.
The implementation of an adequacy decision must be based on a thorough review of the legal order of the third party, covering both the laws applicable to data importers and the restrictions and protections with regard to access to personal data by public authorities. [vii] In its assessment, the Commission needs to ascertain whether the third country in question ensures a level of protection which is “essentially equivalent” to that ensured within the European Union[viii]
The General Data Protection Regulation (GDPR) remains applicable in the UK for a maximum period of six months (at the latest until July 1, 2021).[ix] Following the adoption of an adequacy decision by the European Commission, no formal authorization will be needed and personal data will continue to flow freely from the European Economic Area (EEA) to the United Kingdom. In any event, such organizations must continue to comply with the GDPR and must apply it when transmitting personal data to the United Kingdom (e.g., the principle of lawfulness, the compatibility of the communication with the initial processing activity and information to the data subjects). The National Commission for Data Protection (CNPD) has issued guidelines[x] on transfers of data to a country outside the EEA with an adequate level of protection. [xi]
Despite the optimal outcome for the EU and the UK companies and law enforcement authorities, the draught decisions will only apply for a term of four years from the date of entry into force and will expire after that period, unless extended by the Commission. This is a tougher approach than that adopted by the Commission with regard to its finding of suitability for Japan[xii], which would not expire without repeal by the Commission or invalidation by the Court of Justice of the European Union (CJEU). The bottom line is that the Commission will need to carry out a further full evaluation of the adequacy of UK law within four years and can also review the decision sooner if it finds that UK law has materially changed. Until decisions are finalized, the European Data Protection Board (EDPB) will issue an opinion on the Commission’s evaluation of the adequacy of UK legislation, and the Member States will then possibly send the Commission the green light to proceed. [xiii]
What is Schrems II judgment?
On 16th July 2020, the CJEU issued its much-anticipated judgment[xiv] in what has become known as the Schrems II case.
Most organizations that move personal data outside the EU depend on data transfer agreements (which follow the ‘Normal Contract Clauses’ or ‘Model Clauses’) or for transfers to the US, the EU:US Privacy Shield Framework to resolve the need for appropriate data security to the EU standard. In Schrems II, the CJEU was asked to review the validity of the Privacy Shield and the Standard Contract Clauses (SCCs) as authorized frameworks to secure the transfer of personal data from the EU under the General Data Protection Regulation.
This is a dramatic shift towards the implementation in practice, of the Standard Contract Clauses, which have an effect on current as well as new transfers that depend on them. Not only for transfers to the US, but to all other “third countries” that do not have an appropriate decision from the EU Commission. If you want to continue applying the Standard Contract Clauses as a solution for current and new data transfers, these evaluations of appropriate security for each specific data stream in each particular country will have to be activated and registered. [xv]
In accordance with the GDPR, when moving personal data from an EU country to a country which has not verified the adequacy of its standard of protection of personal data (known as a third country), one must use a transfer mechanism that demonstrates protection to an equal level of protection. [xvi] It makes the data transfer legal.
The Schrems II decision[xvii] specifically looks at Privacy Shield and standard contractual clauses (SCCs). Although Privacy Shield has been invalidated, SCCs remain a valid, legal mechanism for data transfers, however now they will be taken on a case-by-case basis.
Although the Court of Justice of the European Union (CJEU) made it clear in Schrems II that merely relying on existing SCCs as a legal transfer mechanism following the invalidation of the EU-US Privacy Shield would not be enough to comply with the rules on data transfer, the CJEU failed to specify what else would be required to comply with them. In its ruling, the CJEU argued that businesses relying on SCCs would need to enact “supplementary steps” to ensure that personal data would be sufficiently secured when moved from the EEA to a country considered to have inadequate security, but the court did not set out what these additional measures would entail. [xviii]
UK adequacy decision, Brexit and GDPR
The most awaited post-Brexit consideration in the field of privacy was whether the EU would decide that the UK would have an acceptable degree of data security. Such an appropriate status, held by very few countries around the world, including Israel, Canada and South Korea, will remove the need for companies transmitting personal data between the United Kingdom and EU Member States to depend on SCCs or some other authorized data transfer system for legitimate data transfer.
The final aspect of the evaluation is likely to be the most contentious, since the laws of the United Kingdom regulating public authorities’ access to personal data do not derive directly from EU law and are thus more likely to diverge. In addition, both Schrems I and Schrems II invalidated the conclusions of the European Commission on the adequacy of the Safe Harbor and Privacy Shield systems on the grounds that U.S. public authorities were able to access and use personal data relating to the EU data subjects in a manner inconsistent with EU law.
This review was carried out mainly in relation to the GDPR ruling, since public authorities already have access to the data in the sense of the law enforcement process under the LED. In any case, the Commission first identified three concepts applicable to the assessment:
- That any restriction on the right to the protection of personal data must be laid down in law and that the law allowing such limitation must specify its scope;
- That any limitation of this right must be proportionate, meaning that it must be applied only to the extent that it is strictly required in a democratic society to achieve particular objectives of public interest; and
- That the law setting out these limits must be legally binding and enforceable before local courts by data subjects. [xx]
The Commission reiterates the value of the 1998 Human Rights Act and of the United Kingdom’s membership of the Council of Europe, which it states ‘underlines its scheme of governmental access on the basis of principles, protections and individual rights similar to those granted under EU law and applicable to Member States’ (Recital 120). It also states the protections on access to law enforcement and intelligence services set out in Parts III and IV of the DPA, including, in particular, that the DPA integrates the DPR principles on data security, safeguards on the processing of special category data and international transfers. [xxi]
In particular, the GDPR Decision sets out the specific powers of law enforcement and intelligence agencies to access personal data (whether search or production orders or investigative powers under the 2016 Investigative Powers Act (IPA)), as well as the limitations and safeguards on such access (in particular the requirement for access to be necessary and proportionate) and oversight. It also addresses the effect of the United Kingdom-U.S. Agreement, in which U.S. public authorities can require the disclosure of personal data by companies located in the United Kingdom, subject to the limitations and safeguards set out in that Agreement.
Importantly, the proposal for a decision states that all disclosures under the United Kingdom and the United States agreement would be subject to the same guarantees as those provided for in the European Union and United States Umbrella Agreement. The Commission underlines the existence of limitations and safeguards, in particular the requirement for a connection between the specific power to be used and the underlying operational objective, requirements for necessity and proportionality, limitations on the use of data in the DPA, and supervision by the various regulatory authorities (including the ICO, Investigatory Powers Commissioner, Investigatory Powers Tribunal, and the Parliamentary Intelligence and Security Committee). According to the Commission, this distinguishes forces under the IPA from “mass surveillance” (Recital 211). In case the Commission ascertains in these four years that the laws of UK are inadequate to protect personal data the Commission has the power to undo its decision of granting the adequacy decision, also the member countries still have to accept the decision of the commission. In case the laws of UK go on to become inadequate in providing protection to personal data flowing from the EU to the UK, the Schrems II judgement will come into play. Wherein, in absence of adequacy guidelines appropriate safeguards according to Article 46[xxii] of the GDPR or derogations according to Article 49 of the GDPR will have to be taken into consideration, which will have a major impact upon the data transfer not only from EU to UK but would also complicate the procedure in general.
This article can be cited as:
Kirtika Shukla, UK Adequacy Guidelines vis-a-vis GDPR and the Schrems II Judgement, Metacept- Communicating the Law, accessible at https://metacept.com/uk-adequacy-guidelines-vis-a-vis-gdpr-and-the-schrems-ii-judgment.
[i] When did the United Kingdom leave the European Union? Government of Netherlands, Dec. 31, 2020 https://www.government.nl/topics/brexit/question-and-answer/when-will-the-united-kingdom-leave-the-european-union.
[ii] Kelly M. Hagedorn, Matthew Worby, European Commission Publishes Draft UK Adequacy Decisions, Jenner & Block London LLP, Feb. 22, 2021, https://jenner.com/system/assets/publications/20736/original/European_Commission_Publishes.pdf?1614024018.
[iv] William Rm Long, Francesca Blythe, European Commission Publishes Draft UK Adequacy Decisions, Data Matters, Feb. 19, 2021, https://datamatters.sidley.com/european-commission-publishes-draft-uk-adequacy-decisions.
[v] Commission Regulation 2016/679, Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, art. 45, 2016, O.J. (L 119) 1 (EC).
[vi] Dan Cooper, Paul Maynard, European Commission Publishes Draft UK Adequacy Decisions, Inside Tech Media, Mar. 2, 2021, https://www.insidetechmedia.com/2021/03/02/european-commission-publishes-draft-uk-adequacy-decisions/#page=1.
[vii] Commission Regulation 2016/679, Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, art. 45 (2), 2016, O.J. (L 119) 1 (EC).
[viii] Commission Regulation 2016/679, Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, recital 104, 2016, O.J. (L 119) 1 (EC).
[ix] Annie Elfassi, Brexit and GDPR, Baker Mckenzie, Jan. 29, 2021, https://www.bakermckenzie.com/en/insight/publications/2021/01/brexit-and-gdpr.
[x] Transfers Towards A Country Outside the European Economic Area with An Adequate Level Of Protection, National Commission for Data Protection, https://cnpd.public.lu/en/dossiers-thematiques/transferts-internationaux-donnees-personnelles/Reglement-general-sur-la-protection-des-donnees.html.
[xi] Supra note 9.
[xii] Supra note 6.
[xiv] Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems and intervening parties
[xv] Schrems II Judgement: EU:US Privacy Shield Framework for personal data transfers is invalidated; Standard Contractual Clauses need re-assessment…, Evershades Sutherland, July 20, 2020, https://www.eversheds-sutherland.com/global/en/what/articles/index.page?ArticleID=en/global/ireland/schrems-ii-judgement-170720
[xvi] See GDPR Third Countries, Intersoft Consulting, https://gdpr-info.eu/issues/third-countries/.
[xvii] International: Schrems II: What you need to know, Data Guidance, Jul, 2020, https://www.dataguidance.com/opinion/international-schrems-ii-what-you-need-know.
[xviii] Lowenstein Sandler LLP, Post-Brexit, Schrems II, And The GDPR: Privacy Compliance Priorities in Early 2021 (Part Two), JDSUPRA, Feb. 1, 2021, https://www.jdsupra.com/legalnews/post-brexit-schrems-ii-and-the-gdpr-5054515/.
[xix] Lowenstein Sandler LLP, Post-Brexit, Schrems II, And The GDPR: Privacy Compliance Priorities In Early 2021, JDSUPRA, Jan. 22, 2021, https://www.jdsupra.com/legalnews/post-brexit-schrems-ii-and-the-gdpr-1733353/.
[xx] Supra note 6.
[xxi] Supra note 6.
[xxii] Commission Regulation 2016/679, Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, art. 46, 2016, O.J. (L 119) 1 (EC).